From 9b1e4cde7eac91d0921e4ed6d60a3f75798bb9dc Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Thu, 12 Nov 2020 12:11:22 -0500 Subject: [PATCH 1/4] Trivial tweak to indicate when artifacts include experimental changes --- experimental/generated/beats/fields.ecs.yml | 2 +- experimental/generated/csv/fields.csv | 1438 ++++++++--------- .../generated/elasticsearch/7/template.json | 2 +- scripts/generator.py | 4 + scripts/schema/loader.py | 4 +- 5 files changed, 727 insertions(+), 723 deletions(-) diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 5352e2bb18..011044f340 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 2.0.0-dev. +# based on ECS version 2.0.0-dev+exp. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 67053f2d9c..21ba53154c 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -1,720 +1,720 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description -2.0.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. -2.0.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. -2.0.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. -2.0.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. -2.0.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. -2.0.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. -2.0.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. -2.0.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. -2.0.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. -2.0.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. -2.0.0-dev,true,client,client.address,keyword,extended,,,Client network address. -2.0.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -2.0.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. -2.0.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. -2.0.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. -2.0.0-dev,true,client,client.domain,wildcard,core,,,Client domain. -2.0.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev,true,client,client.ip,ip,core,,,IP address of the client. -2.0.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client. -2.0.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address -2.0.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port -2.0.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. -2.0.0-dev,true,client,client.port,long,core,,,Port of the client. -2.0.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." -2.0.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. -2.0.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,client,client.user.email,wildcard,extended,,,User email address. -2.0.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. -2.0.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. -2.0.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. -2.0.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -2.0.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. -2.0.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -2.0.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. -2.0.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. -2.0.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. -2.0.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. -2.0.0-dev,true,container,container.id,keyword,core,,,Unique container id. -2.0.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. -2.0.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. -2.0.0-dev,true,container,container.labels,object,extended,,,Image labels. -2.0.0-dev,true,container,container.name,keyword,extended,,,Container name. -2.0.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. -2.0.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. -2.0.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -2.0.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. -2.0.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. -2.0.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. -2.0.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain. -2.0.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. -2.0.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination. -2.0.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip -2.0.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port -2.0.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. -2.0.0-dev,true,destination,destination.port,long,core,,,Port of the destination. -2.0.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." -2.0.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. -2.0.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address. -2.0.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -2.0.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -2.0.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -2.0.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -2.0.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -2.0.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. -2.0.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. -2.0.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. -2.0.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. -2.0.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. -2.0.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -2.0.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -2.0.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -2.0.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -2.0.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -2.0.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -2.0.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. -2.0.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. -2.0.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. -2.0.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. -2.0.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. -2.0.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. -2.0.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. -2.0.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. -2.0.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. -2.0.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. -2.0.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." -2.0.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. -2.0.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. -2.0.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data -2.0.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. -2.0.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." -2.0.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. -2.0.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. -2.0.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. -2.0.0-dev,true,error,error.message,text,core,,,Error message. -2.0.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. -2.0.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. -2.0.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." -2.0.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. -2.0.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -2.0.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. -2.0.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -2.0.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. -2.0.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. -2.0.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. -2.0.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -2.0.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -2.0.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -2.0.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -2.0.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. -2.0.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -2.0.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -2.0.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. -2.0.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -2.0.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -2.0.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -2.0.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -2.0.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event. -2.0.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event. -2.0.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. -2.0.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone. -2.0.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -2.0.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -2.0.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. -2.0.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -2.0.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -2.0.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -2.0.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -2.0.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -2.0.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -2.0.0-dev,true,file,file.created,date,extended,,,File creation time. -2.0.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. -2.0.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. -2.0.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. -2.0.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -2.0.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -2.0.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -2.0.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. -2.0.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. -2.0.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. -2.0.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. -2.0.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -2.0.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -2.0.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. -2.0.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. -2.0.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -2.0.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. -2.0.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." -2.0.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -2.0.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -2.0.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -2.0.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -2.0.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -2.0.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -2.0.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -2.0.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. -2.0.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. -2.0.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. -2.0.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -2.0.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -2.0.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -2.0.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -2.0.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -2.0.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -2.0.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -2.0.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -2.0.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -2.0.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -2.0.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -2.0.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -2.0.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -2.0.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -2.0.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -2.0.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -2.0.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -2.0.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -2.0.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code -2.0.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -2.0.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -2.0.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -2.0.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -2.0.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. -2.0.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,group,group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. -2.0.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. -2.0.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host. -2.0.0-dev,true,host,host.id,keyword,core,,,Unique host id. -2.0.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. -2.0.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. -2.0.0-dev,true,host,host.name,keyword,core,,,Name of the host. -2.0.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -2.0.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -2.0.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -2.0.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -2.0.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -2.0.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -2.0.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -2.0.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -2.0.0-dev,true,host,host.type,keyword,core,,,Type of host. -2.0.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. -2.0.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,host,host.user.email,wildcard,extended,,,User email address. -2.0.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. -2.0.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. -2.0.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. -2.0.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). -2.0.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. -2.0.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. -2.0.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. -2.0.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. -2.0.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. -2.0.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. -2.0.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). -2.0.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. -2.0.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. -2.0.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. -2.0.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. -2.0.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. -2.0.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. -2.0.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. -2.0.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. -2.0.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. -2.0.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." -2.0.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata -2.0.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. -2.0.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. -2.0.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. -2.0.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. -2.0.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. -2.0.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. -2.0.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. -2.0.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. -2.0.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. -2.0.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. -2.0.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. -2.0.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information -2.0.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -2.0.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -2.0.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. -2.0.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions. -2.0.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. -2.0.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. -2.0.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" -2.0.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -2.0.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -2.0.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information -2.0.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias -2.0.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID -2.0.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name -2.0.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -2.0.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -2.0.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone -2.0.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. -2.0.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information -2.0.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias -2.0.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID -2.0.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name -2.0.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -2.0.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -2.0.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone -2.0.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. -2.0.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer -2.0.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. -2.0.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -2.0.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -2.0.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -2.0.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -2.0.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -2.0.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -2.0.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -2.0.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -2.0.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. -2.0.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. -2.0.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. -2.0.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. -2.0.0-dev,true,observer,observer.version,keyword,core,,,Observer version. -2.0.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. -2.0.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name. -2.0.0-dev,true,organization,organization.name.text,text,extended,,,Organization name. -2.0.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. -2.0.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information -2.0.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. -2.0.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. -2.0.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." -2.0.0-dev,true,package,package.installed,date,extended,,,Time when package was installed. -2.0.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license -2.0.0-dev,true,package,package.name,keyword,extended,,go,Package name -2.0.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. -2.0.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL -2.0.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. -2.0.0-dev,true,package,package.type,keyword,extended,,rpm,Package type -2.0.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version -2.0.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -2.0.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. -2.0.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -2.0.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -2.0.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -2.0.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -2.0.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -2.0.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -2.0.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -2.0.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -2.0.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. -2.0.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -2.0.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. -2.0.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. -2.0.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. -2.0.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. -2.0.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name. -2.0.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. -2.0.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -2.0.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. -2.0.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -2.0.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -2.0.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -2.0.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -2.0.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -2.0.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -2.0.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -2.0.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -2.0.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. -2.0.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -2.0.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. -2.0.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. -2.0.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. -2.0.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. -2.0.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name. -2.0.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. -2.0.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -2.0.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -2.0.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -2.0.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -2.0.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -2.0.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -2.0.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -2.0.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. -2.0.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. -2.0.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -2.0.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. -2.0.0-dev,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name. -2.0.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title. -2.0.0-dev,true,process,process.parent.title.text,text,extended,,,Process title. -2.0.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. -2.0.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. -2.0.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. -2.0.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -2.0.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -2.0.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -2.0.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -2.0.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -2.0.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -2.0.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -2.0.0-dev,true,process,process.pid,long,core,,4242,Process id. -2.0.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. -2.0.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -2.0.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. -2.0.0-dev,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name. -2.0.0-dev,true,process,process.title,wildcard,extended,,,Process title. -2.0.0-dev,true,process,process.title.text,text,extended,,,Process title. -2.0.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. -2.0.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. -2.0.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. -2.0.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -2.0.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -2.0.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -2.0.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -2.0.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -2.0.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -2.0.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. -2.0.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. -2.0.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. -2.0.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. -2.0.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event. -2.0.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author -2.0.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category -2.0.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description -2.0.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID -2.0.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license -2.0.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name -2.0.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL -2.0.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset -2.0.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID -2.0.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version -2.0.0-dev,true,server,server.address,keyword,extended,,,Server network address. -2.0.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -2.0.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. -2.0.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. -2.0.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. -2.0.0-dev,true,server,server.domain,wildcard,core,,,Server domain. -2.0.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev,true,server,server.ip,ip,core,,,IP address of the server. -2.0.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server. -2.0.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip -2.0.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port -2.0.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. -2.0.0-dev,true,server,server.port,long,core,,,Port of the server. -2.0.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." -2.0.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. -2.0.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,server,server.user.email,wildcard,extended,,,User email address. -2.0.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -2.0.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -2.0.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. -2.0.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. -2.0.0-dev,true,service,service.state,keyword,core,,,Current state of the service. -2.0.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service. -2.0.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. -2.0.0-dev,true,source,source.address,keyword,extended,,,Source network address. -2.0.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -2.0.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. -2.0.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. -2.0.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. -2.0.0-dev,true,source,source.domain,wildcard,core,,,Source domain. -2.0.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev,true,source,source.ip,ip,core,,,IP address of the source. -2.0.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source. -2.0.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip -2.0.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port -2.0.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. -2.0.0-dev,true,source,source.port,long,core,,,Port of the source. -2.0.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." -2.0.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. -2.0.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,source,source.user.email,wildcard,extended,,,User email address. -2.0.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. -2.0.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. -2.0.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. -2.0.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. -2.0.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. -2.0.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. -2.0.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. -2.0.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. -2.0.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. -2.0.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. -2.0.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. -2.0.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. -2.0.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. -2.0.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. -2.0.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. -2.0.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. -2.0.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. -2.0.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. -2.0.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. -2.0.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -2.0.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. -2.0.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. -2.0.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. -2.0.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. -2.0.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. -2.0.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. -2.0.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -2.0.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -2.0.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -2.0.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -2.0.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -2.0.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -2.0.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -2.0.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -2.0.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -2.0.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -2.0.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -2.0.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -2.0.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -2.0.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -2.0.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -2.0.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -2.0.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code -2.0.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -2.0.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -2.0.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -2.0.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -2.0.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. -2.0.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." -2.0.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -2.0.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. -2.0.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -2.0.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. -2.0.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. -2.0.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. -2.0.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. -2.0.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. -2.0.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. -2.0.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. -2.0.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. -2.0.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. -2.0.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. -2.0.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -2.0.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -2.0.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -2.0.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -2.0.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -2.0.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -2.0.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -2.0.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -2.0.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -2.0.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -2.0.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -2.0.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -2.0.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -2.0.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -2.0.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -2.0.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -2.0.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code -2.0.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -2.0.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -2.0.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -2.0.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -2.0.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. -2.0.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. -2.0.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. -2.0.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. -2.0.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. -2.0.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. -2.0.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url. -2.0.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. -2.0.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -2.0.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -2.0.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -2.0.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -2.0.0-dev,true,url,url.password,keyword,extended,,,Password of the request. -2.0.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -2.0.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." -2.0.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. -2.0.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -2.0.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. -2.0.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. -2.0.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev,true,url,url.username,keyword,extended,,,Username of the request. -2.0.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address. -2.0.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address. -2.0.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,user,user.email,wildcard,extended,,,User email address. -2.0.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,user,user.target.email,wildcard,extended,,,User email address. -2.0.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. -2.0.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. -2.0.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -2.0.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -2.0.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -2.0.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -2.0.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -2.0.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -2.0.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -2.0.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -2.0.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -2.0.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -2.0.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. -2.0.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. -2.0.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. -2.0.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. -2.0.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. -2.0.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. -2.0.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. -2.0.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. +2.0.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. +2.0.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. +2.0.0-dev+exp,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. +2.0.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. +2.0.0-dev+exp,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +2.0.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. +2.0.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +2.0.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +2.0.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. +2.0.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +2.0.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address. +2.0.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +2.0.0-dev+exp,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. +2.0.0-dev+exp,true,client,client.domain,wildcard,core,,,Client domain. +2.0.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client. +2.0.0-dev+exp,true,client,client.mac,keyword,core,,,MAC address of the client. +2.0.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address +2.0.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port +2.0.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server. +2.0.0-dev+exp,true,client,client.port,long,core,,,Port of the client. +2.0.0-dev+exp,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +2.0.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,client,client.user.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,client,client.user.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. +2.0.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. +2.0.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. +2.0.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +2.0.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. +2.0.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +2.0.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. +2.0.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. +2.0.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. +2.0.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. +2.0.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id. +2.0.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. +2.0.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags. +2.0.0-dev+exp,true,container,container.labels,object,extended,,,Image labels. +2.0.0-dev+exp,true,container,container.name,keyword,extended,,,Container name. +2.0.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. +2.0.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address. +2.0.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +2.0.0-dev+exp,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. +2.0.0-dev+exp,true,destination,destination.domain,wildcard,core,,,Destination domain. +2.0.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination. +2.0.0-dev+exp,true,destination,destination.mac,keyword,core,,,MAC address of the destination. +2.0.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip +2.0.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port +2.0.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. +2.0.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination. +2.0.0-dev+exp,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +2.0.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,destination,destination.user.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +2.0.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +2.0.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +2.0.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. +2.0.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +2.0.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. +2.0.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. +2.0.0-dev+exp,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. +2.0.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. +2.0.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. +2.0.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. +2.0.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. +2.0.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. +2.0.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. +2.0.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. +2.0.0-dev+exp,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. +2.0.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." +2.0.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. +2.0.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. +2.0.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data +2.0.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. +2.0.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." +2.0.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. +2.0.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error. +2.0.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error. +2.0.0-dev+exp,true,error,error.message,text,core,,,Error message. +2.0.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. +2.0.0-dev+exp,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. +2.0.0-dev+exp,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +2.0.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. +2.0.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +2.0.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event. +2.0.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +2.0.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. +2.0.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. +2.0.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. +2.0.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +2.0.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +2.0.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +2.0.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +2.0.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. +2.0.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +2.0.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +2.0.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event. +2.0.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +2.0.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +2.0.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +2.0.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +2.0.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event. +2.0.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event. +2.0.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. +2.0.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone. +2.0.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +2.0.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +2.0.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed. +2.0.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +2.0.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +2.0.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +2.0.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +2.0.0-dev+exp,true,file,file.created,date,extended,,,File creation time. +2.0.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. +2.0.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. +2.0.0-dev+exp,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. +2.0.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +2.0.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +2.0.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +2.0.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +2.0.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash. +2.0.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +2.0.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +2.0.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. +2.0.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified. +2.0.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +2.0.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username. +2.0.0-dev+exp,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev+exp,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes. +2.0.0-dev+exp,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. +2.0.0-dev+exp,true,file,file.target_path.text,text,extended,,,Target path for symlinks. +2.0.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +2.0.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +2.0.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +2.0.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +2.0.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +2.0.0-dev+exp,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +2.0.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +2.0.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +2.0.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +2.0.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +2.0.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +2.0.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +2.0.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +2.0.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +2.0.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +2.0.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +2.0.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +2.0.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +2.0.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code +2.0.0-dev+exp,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +2.0.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +2.0.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +2.0.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +2.0.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. +2.0.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +2.0.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +2.0.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,host,host.hostname,wildcard,core,,,Hostname of the host. +2.0.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id. +2.0.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses. +2.0.0-dev+exp,true,host,host.mac,keyword,core,array,,Host mac addresses. +2.0.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host. +2.0.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +2.0.0-dev+exp,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +2.0.0-dev+exp,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +2.0.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +2.0.0-dev+exp,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +2.0.0-dev+exp,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +2.0.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +2.0.0-dev+exp,true,host,host.type,keyword,core,,,Type of host. +2.0.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. +2.0.0-dev+exp,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,host,host.user.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,host,host.user.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,host,host.user.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. +2.0.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. +2.0.0-dev+exp,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. +2.0.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +2.0.0-dev+exp,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. +2.0.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. +2.0.0-dev+exp,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. +2.0.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. +2.0.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. +2.0.0-dev+exp,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. +2.0.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +2.0.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. +2.0.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code. +2.0.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version. +2.0.0-dev+exp,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +2.0.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event. +2.0.0-dev+exp,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +2.0.0-dev+exp,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. +2.0.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. +2.0.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. +2.0.0-dev+exp,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." +2.0.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata +2.0.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. +2.0.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +2.0.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +2.0.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. +2.0.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +2.0.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name. +2.0.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. +2.0.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. +2.0.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. +2.0.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. +2.0.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. +2.0.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information +2.0.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +2.0.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +2.0.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. +2.0.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions. +2.0.0-dev+exp,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. +2.0.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. +2.0.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +2.0.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +2.0.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +2.0.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information +2.0.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias +2.0.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID +2.0.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name +2.0.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +2.0.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +2.0.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone +2.0.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. +2.0.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information +2.0.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias +2.0.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID +2.0.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name +2.0.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +2.0.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +2.0.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone +2.0.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. +2.0.0-dev+exp,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer +2.0.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +2.0.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +2.0.0-dev+exp,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +2.0.0-dev+exp,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +2.0.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +2.0.0-dev+exp,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +2.0.0-dev+exp,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +2.0.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +2.0.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. +2.0.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. +2.0.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. +2.0.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. +2.0.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version. +2.0.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. +2.0.0-dev+exp,true,organization,organization.name,wildcard,extended,,,Organization name. +2.0.0-dev+exp,true,organization,organization.name.text,text,extended,,,Organization name. +2.0.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. +2.0.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information +2.0.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. +2.0.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. +2.0.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." +2.0.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed. +2.0.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license +2.0.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name +2.0.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. +2.0.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL +2.0.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes. +2.0.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type +2.0.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version +2.0.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +2.0.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. +2.0.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +2.0.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +2.0.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +2.0.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +2.0.0-dev+exp,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +2.0.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +2.0.0-dev+exp,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +2.0.0-dev+exp,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +2.0.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process. +2.0.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash. +2.0.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev+exp,true,process,process.name,wildcard,extended,,ssh,Process name. +2.0.0-dev+exp,true,process,process.name.text,text,extended,,ssh,Process name. +2.0.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +2.0.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +2.0.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +2.0.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +2.0.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +2.0.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +2.0.0-dev+exp,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +2.0.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +2.0.0-dev+exp,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +2.0.0-dev+exp,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +2.0.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. +2.0.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. +2.0.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev+exp,true,process,process.parent.name,wildcard,extended,,ssh,Process name. +2.0.0-dev+exp,true,process,process.parent.name.text,text,extended,,ssh,Process name. +2.0.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +2.0.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id. +2.0.0-dev+exp,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. +2.0.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +2.0.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. +2.0.0-dev+exp,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name. +2.0.0-dev+exp,true,process,process.parent.title,wildcard,extended,,,Process title. +2.0.0-dev+exp,true,process,process.parent.title.text,text,extended,,,Process title. +2.0.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. +2.0.0-dev+exp,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +2.0.0-dev+exp,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. +2.0.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +2.0.0-dev+exp,true,process,process.pid,long,core,,4242,Process id. +2.0.0-dev+exp,true,process,process.ppid,long,extended,,4241,Parent process' pid. +2.0.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +2.0.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID. +2.0.0-dev+exp,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name. +2.0.0-dev+exp,true,process,process.title,wildcard,extended,,,Process title. +2.0.0-dev+exp,true,process,process.title.text,text,extended,,,Process title. +2.0.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. +2.0.0-dev+exp,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +2.0.0-dev+exp,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. +2.0.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +2.0.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +2.0.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +2.0.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +2.0.0-dev+exp,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +2.0.0-dev+exp,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +2.0.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +2.0.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. +2.0.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. +2.0.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. +2.0.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names seen on your event. +2.0.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author +2.0.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category +2.0.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description +2.0.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID +2.0.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license +2.0.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name +2.0.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL +2.0.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset +2.0.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID +2.0.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version +2.0.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address. +2.0.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +2.0.0-dev+exp,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. +2.0.0-dev+exp,true,server,server.domain,wildcard,core,,,Server domain. +2.0.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server. +2.0.0-dev+exp,true,server,server.mac,keyword,core,,,MAC address of the server. +2.0.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip +2.0.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port +2.0.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client. +2.0.0-dev+exp,true,server,server.port,long,core,,,Port of the server. +2.0.0-dev+exp,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +2.0.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,server,server.user.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,server,server.user.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +2.0.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +2.0.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. +2.0.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. +2.0.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service. +2.0.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service. +2.0.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service. +2.0.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address. +2.0.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +2.0.0-dev+exp,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. +2.0.0-dev+exp,true,source,source.domain,wildcard,core,,,Source domain. +2.0.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source. +2.0.0-dev+exp,true,source,source.mac,keyword,core,,,MAC address of the source. +2.0.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip +2.0.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port +2.0.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. +2.0.0-dev+exp,true,source,source.port,long,core,,,Port of the source. +2.0.0-dev+exp,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +2.0.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,source,source.user.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,source,source.user.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. +2.0.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +2.0.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. +2.0.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. +2.0.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. +2.0.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. +2.0.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. +2.0.0-dev+exp,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. +2.0.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. +2.0.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. +2.0.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. +2.0.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. +2.0.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. +2.0.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. +2.0.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. +2.0.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. +2.0.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. +2.0.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. +2.0.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. +2.0.0-dev+exp,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +2.0.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. +2.0.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. +2.0.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. +2.0.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. +2.0.0-dev+exp,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +2.0.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. +2.0.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +2.0.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +2.0.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +2.0.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +2.0.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +2.0.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +2.0.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +2.0.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +2.0.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +2.0.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code +2.0.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +2.0.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +2.0.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +2.0.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +2.0.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. +2.0.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." +2.0.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +2.0.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. +2.0.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +2.0.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. +2.0.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. +2.0.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. +2.0.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. +2.0.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. +2.0.0-dev+exp,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +2.0.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. +2.0.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. +2.0.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. +2.0.0-dev+exp,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +2.0.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +2.0.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +2.0.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +2.0.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +2.0.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +2.0.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +2.0.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +2.0.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +2.0.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +2.0.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code +2.0.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +2.0.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +2.0.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +2.0.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +2.0.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. +2.0.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. +2.0.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. +2.0.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. +2.0.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. +2.0.0-dev+exp,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. +2.0.0-dev+exp,true,url,url.extension,keyword,extended,,png,File extension from the original request url. +2.0.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. +2.0.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +2.0.0-dev+exp,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +2.0.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +2.0.0-dev+exp,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +2.0.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request. +2.0.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +2.0.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443." +2.0.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request. +2.0.0-dev+exp,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +2.0.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +2.0.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request. +2.0.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,user,user.changes.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,user,user.effective.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,user,user.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,user,user.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,user,user.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,user,user.target.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,user,user.target.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. +2.0.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. +2.0.0-dev+exp,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +2.0.0-dev+exp,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +2.0.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +2.0.0-dev+exp,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +2.0.0-dev+exp,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +2.0.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +2.0.0-dev+exp,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +2.0.0-dev+exp,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +2.0.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +2.0.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. +2.0.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. +2.0.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. +2.0.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. +2.0.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. +2.0.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. +2.0.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. +2.0.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 6782a5638f..1eafd2cbf3 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -4,7 +4,7 @@ ], "mappings": { "_meta": { - "version": "2.0.0-dev" + "version": "2.0.0-dev+exp" }, "date_detection": false, "dynamic_templates": [ diff --git a/scripts/generator.py b/scripts/generator.py index 92b877499c..552a011f65 100644 --- a/scripts/generator.py +++ b/scripts/generator.py @@ -40,6 +40,10 @@ def main(): # statements like this after any step of interest. # ecs_helpers.yaml_dump('ecs.yml', fields) + # Detect usage of experimental changes to tweak artifact headers + if loader.EXPERIMENTAL_SCHEMA_DIR in args.include: + ecs_version += "+exp" + fields = loader.load_schemas(ref=args.ref, included_files=args.include) if args.oss: oss.fallback(fields) diff --git a/scripts/schema/loader.py b/scripts/schema/loader.py index e953834d97..1213cf136e 100644 --- a/scripts/schema/loader.py +++ b/scripts/schema/loader.py @@ -42,6 +42,8 @@ # Examples of this are 'dns.answers', 'observer.egress'. +EXPERIMENTAL_SCHEMA_DIR = 'experimental/schemas' + def load_schemas(ref=None, included_files=[]): """Loads ECS and custom schemas. They are returned deeply nested and merged.""" # ECS fields (from git ref or not) @@ -51,8 +53,6 @@ def load_schemas(ref=None, included_files=[]): schema_files_raw = load_schema_files(ecs_helpers.ecs_files()) fields = deep_nesting_representation(schema_files_raw) - EXPERIMENTAL_SCHEMA_DIR = 'experimental/schemas' - # Custom additional files if included_files and len(included_files) > 0: print('Loading user defined schemas: {0}'.format(included_files)) From 4aaccb1b0c21eee17de488e72f280ff2142d14dd Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Thu, 12 Nov 2020 12:23:03 -0500 Subject: [PATCH 2/4] Append to exp artifacts changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index edd614a6b0..264d81fe91 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,7 +19,7 @@ All notable changes to this project will be documented in this file based on the * Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951 * Added `configuration` as an allowed `event.category`. #963 * Added a new directory with experimental artifacts, which includes all changes - from RFCs that have reached stage 2. #993, #1053 + from RFCs that have reached stage 2. #993, #1053, #1117 #### Improvements From f02eb416f3f5f33d995e14557088d501d07db45c Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Thu, 12 Nov 2020 12:23:37 -0500 Subject: [PATCH 3/4] Space. The final frontier. --- scripts/schema/loader.py | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/schema/loader.py b/scripts/schema/loader.py index 1213cf136e..07477551af 100644 --- a/scripts/schema/loader.py +++ b/scripts/schema/loader.py @@ -44,6 +44,7 @@ EXPERIMENTAL_SCHEMA_DIR = 'experimental/schemas' + def load_schemas(ref=None, included_files=[]): """Loads ECS and custom schemas. They are returned deeply nested and merged.""" # ECS fields (from git ref or not) From 1783159558203312beb2269e4c6842855f2ea089 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Thu, 12 Nov 2020 16:25:38 -0500 Subject: [PATCH 4/4] Adjust comment: "tweak artifact version label" --- scripts/generator.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/generator.py b/scripts/generator.py index 552a011f65..7e009d5fad 100644 --- a/scripts/generator.py +++ b/scripts/generator.py @@ -40,7 +40,7 @@ def main(): # statements like this after any step of interest. # ecs_helpers.yaml_dump('ecs.yml', fields) - # Detect usage of experimental changes to tweak artifact headers + # Detect usage of experimental changes to tweak artifact version label if loader.EXPERIMENTAL_SCHEMA_DIR in args.include: ecs_version += "+exp"