From e458eb0ec663ab2f401a1f881c845e47d7e77012 Mon Sep 17 00:00:00 2001 From: nnamdifrankie <56440728+nnamdifrankie@users.noreply.github.com> Date: Tue, 23 Jun 2020 10:33:40 -0400 Subject: [PATCH] Adding package version 0.5.0 (#87) --- .../0.5.0/dataset/alerts/fields/fields.yml | 3892 +++++++++++++++ .../0.5.0/dataset/alerts/manifest.yml | 3 + .../dataset/events/fields/base-fields.yml | 33 + .../0.5.0/dataset/events/fields/fields.yml | 4329 +++++++++++++++++ .../0.5.0/dataset/events/manifest.yml | 5 + .../0.5.0/dataset/file/fields/fields.yml | 661 +++ .../endpoint/0.5.0/dataset/file/manifest.yml | 5 + .../0.5.0/dataset/library/fields/fields.yml | 650 +++ .../0.5.0/dataset/library/manifest.yml | 5 + .../0.5.0/dataset/metadata/fields/fields.yml | 277 ++ .../0.5.0/dataset/metadata/manifest.yml | 3 + .../dataset/metadata_mirror/fields/fields.yml | 277 ++ .../dataset/metadata_mirror/manifest.yml | 3 + .../0.5.0/dataset/network/fields/fields.yml | 895 ++++ .../0.5.0/dataset/network/manifest.yml | 5 + .../0.5.0/dataset/policy/fields/fields.yml | 424 ++ .../0.5.0/dataset/policy/manifest.yml | 3 + .../0.5.0/dataset/process/fields/fields.yml | 696 +++ .../0.5.0/dataset/process/manifest.yml | 5 + .../0.5.0/dataset/registry/fields/fields.yml | 569 +++ .../0.5.0/dataset/registry/manifest.yml | 5 + .../0.5.0/dataset/security/fields/fields.yml | 510 ++ .../0.5.0/dataset/security/manifest.yml | 5 + .../0.5.0/dataset/telemetry/fields/fields.yml | 444 ++ .../0.5.0/dataset/telemetry/manifest.yml | 3 + packages/endpoint/0.5.0/docs/README.md | 3 + .../0.5.0/img/logo-endpoint-64-color.svg | 7 + .../826759f0-7074-11ea-9bc8-6b38f4d29a16.json | 53 + .../a3a3bd10-706b-11ea-9bc8-6b38f4d29a16.json | 50 + .../1cfceda0-728b-11ea-9bc8-6b38f4d29a16.json | 31 + .../1e525190-7074-11ea-9bc8-6b38f4d29a16.json | 26 + .../55387750-729c-11ea-9bc8-6b38f4d29a16.json | 26 + .../92b1edc0-706a-11ea-9bc8-6b38f4d29a16.json | 26 + packages/endpoint/0.5.0/manifest.yml | 33 + 34 files changed, 13962 insertions(+) create mode 100644 packages/endpoint/0.5.0/dataset/alerts/fields/fields.yml create mode 100644 packages/endpoint/0.5.0/dataset/alerts/manifest.yml create mode 100644 packages/endpoint/0.5.0/dataset/events/fields/base-fields.yml create mode 100644 packages/endpoint/0.5.0/dataset/events/fields/fields.yml create mode 100644 packages/endpoint/0.5.0/dataset/events/manifest.yml create mode 100644 packages/endpoint/0.5.0/dataset/file/fields/fields.yml create mode 100644 packages/endpoint/0.5.0/dataset/file/manifest.yml create mode 100644 packages/endpoint/0.5.0/dataset/library/fields/fields.yml create mode 100644 packages/endpoint/0.5.0/dataset/library/manifest.yml create mode 100644 packages/endpoint/0.5.0/dataset/metadata/fields/fields.yml create mode 100644 packages/endpoint/0.5.0/dataset/metadata/manifest.yml create mode 100644 packages/endpoint/0.5.0/dataset/metadata_mirror/fields/fields.yml create mode 100644 packages/endpoint/0.5.0/dataset/metadata_mirror/manifest.yml create mode 100644 packages/endpoint/0.5.0/dataset/network/fields/fields.yml create mode 100644 packages/endpoint/0.5.0/dataset/network/manifest.yml create mode 100644 packages/endpoint/0.5.0/dataset/policy/fields/fields.yml create mode 100644 packages/endpoint/0.5.0/dataset/policy/manifest.yml create mode 100644 packages/endpoint/0.5.0/dataset/process/fields/fields.yml create mode 100644 packages/endpoint/0.5.0/dataset/process/manifest.yml create mode 100644 packages/endpoint/0.5.0/dataset/registry/fields/fields.yml create mode 100644 packages/endpoint/0.5.0/dataset/registry/manifest.yml create mode 100644 packages/endpoint/0.5.0/dataset/security/fields/fields.yml create mode 100644 packages/endpoint/0.5.0/dataset/security/manifest.yml create mode 100644 packages/endpoint/0.5.0/dataset/telemetry/fields/fields.yml create mode 100644 packages/endpoint/0.5.0/dataset/telemetry/manifest.yml create mode 100644 packages/endpoint/0.5.0/docs/README.md create mode 100644 packages/endpoint/0.5.0/img/logo-endpoint-64-color.svg create mode 100644 packages/endpoint/0.5.0/kibana/dashboard/826759f0-7074-11ea-9bc8-6b38f4d29a16.json create mode 100644 packages/endpoint/0.5.0/kibana/map/a3a3bd10-706b-11ea-9bc8-6b38f4d29a16.json create mode 100644 packages/endpoint/0.5.0/kibana/visualization/1cfceda0-728b-11ea-9bc8-6b38f4d29a16.json create mode 100644 packages/endpoint/0.5.0/kibana/visualization/1e525190-7074-11ea-9bc8-6b38f4d29a16.json create mode 100644 packages/endpoint/0.5.0/kibana/visualization/55387750-729c-11ea-9bc8-6b38f4d29a16.json create mode 100644 packages/endpoint/0.5.0/kibana/visualization/92b1edc0-706a-11ea-9bc8-6b38f4d29a16.json create mode 100644 packages/endpoint/0.5.0/manifest.yml diff --git a/packages/endpoint/0.5.0/dataset/alerts/fields/fields.yml b/packages/endpoint/0.5.0/dataset/alerts/fields/fields.yml new file mode 100644 index 0000000000..a86f484f9d --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/alerts/fields/fields.yml @@ -0,0 +1,3892 @@ +- name: '@timestamp' + level: core + required: true + type: date + description: 'Date/time when the event originated. + + This is the date/time extracted from the event, typically representing when + the event was generated by the source. + + If the event source has no original timestamp, this value is typically populated + by the first time the event was received by the pipeline. + + Required field for all events.' + example: '2016-05-23T08:05:34.853Z' +- name: message + level: core + type: text + description: 'For log events the message field contains the log message, optimized + for viewing in a log viewer. + + For structured logs without an original message field, other fields can be concatenated + to form a human-readable summary of the event. + + If multiple messages exist, they can be combined into one message.' + example: Hello World +- name: Endpoint + title: Endpoint + group: 2 + description: Fields describing the state of the Elastic Endpoint when an event + occurs. + type: group + fields: + - name: policy + level: custom + type: object + object_type: keyword + description: The policy fields are used to hold information about applied policy. + default_field: false + - name: policy.applied + level: custom + type: object + object_type: keyword + description: information about the policy that is applied + default_field: false + - name: policy.applied.artifacts + level: custom + type: object + object_type: keyword + description: information about protection artifacts applied. + enabled: false + default_field: false + - name: policy.applied.artifacts.global + level: custom + type: object + object_type: keyword + description: information about global protection artifacts applied. + default_field: false + - name: policy.applied.artifacts.global.identifiers + level: custom + type: nested + description: the identifiers of global artifacts applied. + default_field: false + - name: policy.applied.artifacts.global.identifiers.name + level: custom + type: keyword + ignore_above: 1024 + description: the name of global artifact applied. + default_field: false + - name: policy.applied.artifacts.global.identifiers.sha256 + level: custom + type: keyword + ignore_above: 1024 + description: the sha256 of global artifacts applied. + default_field: false + - name: policy.applied.artifacts.global.version + level: custom + type: keyword + ignore_above: 1024 + description: the version of global artifacts applied. + default_field: false + - name: policy.applied.artifacts.user + level: custom + type: object + object_type: keyword + description: information about user protection artifacts applied. + default_field: false + - name: policy.applied.artifacts.user.identifiers + level: custom + type: nested + description: the identifiers of user artifacts applied. + default_field: false + - name: policy.applied.artifacts.user.identifiers.name + level: custom + type: keyword + ignore_above: 1024 + description: the name of user artifact applied. + default_field: false + - name: policy.applied.artifacts.user.identifiers.sha256 + level: custom + type: keyword + ignore_above: 1024 + description: the sha256 of user artifacts applied. + default_field: false + - name: policy.applied.artifacts.user.version + level: custom + type: keyword + ignore_above: 1024 + description: the version of user artifacts applied. + default_field: false + - name: policy.applied.id + level: custom + type: keyword + ignore_above: 1024 + description: the id of the applied policy + default_field: false + - name: policy.applied.name + level: custom + type: keyword + ignore_above: 1024 + description: the name of this applied policy + default_field: false + - name: policy.applied.status + level: custom + type: keyword + ignore_above: 1024 + description: the status of the applied policy + default_field: false + - name: policy.applied.version + level: custom + type: keyword + ignore_above: 1024 + description: the version of this applied policy + default_field: false +- name: Target + title: Target + group: 2 + description: 'These fields contain information about a target. + + These fields provide more context about the target process and thread that are + related to the data in the document. Useful in a security context where a target + process or thread may be acted on by another process or thread.' + type: group + fields: + - name: dll.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: dll.Ext.compile_time + level: custom + type: date + description: Timestamp from when the module was compiled. + default_field: false + - name: dll.Ext.malware_classification.features.data.buffer + level: custom + type: keyword + ignore_above: 1024 + description: The features extracted from this file and evaluated by the model. Usually + an array of floats. Likely zlib-encoded. + default_field: false + - name: dll.Ext.malware_classification.features.data.decompressed_size + level: custom + type: integer + description: The decompressed size of buffer. + default_field: false + - name: dll.Ext.malware_classification.features.data.encoding + level: custom + type: keyword + ignore_above: 1024 + description: The encoding of buffer (e.g. zlib). + default_field: false + - name: dll.Ext.malware_classification.identifier + level: custom + type: keyword + ignore_above: 1024 + description: The model's unique identifier. + default_field: false + - name: dll.Ext.malware_classification.score + level: custom + type: double + description: The score produced by the classification model. + default_field: false + - name: dll.Ext.malware_classification.threshold + level: custom + type: double + description: The score threshold for the model. Files that score above this + threshold are considered malicious. + default_field: false + - name: dll.Ext.malware_classification.upx_packed + level: custom + type: boolean + description: Whether UPX packing was detected. + default_field: false + - name: dll.Ext.malware_classification.version + level: custom + type: keyword + ignore_above: 1024 + description: The version of the model used. + default_field: false + - name: dll.Ext.mapped_address + level: custom + type: keyword + ignore_above: 1024 + description: The base address where this module is loaded. + default_field: false + - name: dll.Ext.mapped_size + level: custom + type: long + description: The size of this module's memory mapping, in bytes. + default_field: false + - name: dll.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: dll.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: dll.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: dll.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: dll.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: dll.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: dll.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: dll.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: dll.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: dll.name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the library. + + This generally maps to the name of the file on disk.' + example: kernel32.dll + default_field: false + - name: dll.path + level: extended + type: keyword + ignore_above: 1024 + description: Full file path of the library. + example: C:\Windows\System32\kernel32.dll + default_field: false + - name: dll.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: dll.pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: dll.pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: dll.pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: dll.pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: process.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: process.Ext.ancestry + level: custom + type: keyword + ignore_above: 1024 + description: An array of entity_ids indicating the ancestors for this event + default_field: false + - name: process.Ext.authentication_id + level: custom + type: keyword + ignore_above: 1024 + description: Process authentication ID + default_field: false + - name: process.Ext.code_signature + level: custom + type: nested + description: Nested version of ECS code_signature fieldset. + default_field: false + - name: process.Ext.code_signature.exists + level: custom + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: process.Ext.code_signature.status + level: custom + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: process.Ext.code_signature.subject_name + level: custom + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: process.Ext.code_signature.trusted + level: custom + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: process.Ext.code_signature.valid + level: custom + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: process.Ext.malware_classification.features.data.buffer + level: custom + type: keyword + ignore_above: 1024 + description: The features extracted from this file and evaluated by the model. Usually + an array of floats. Likely zlib-encoded. + default_field: false + - name: process.Ext.malware_classification.features.data.decompressed_size + level: custom + type: integer + description: The decompressed size of buffer. + default_field: false + - name: process.Ext.malware_classification.features.data.encoding + level: custom + type: keyword + ignore_above: 1024 + description: The encoding of buffer (e.g. zlib). + default_field: false + - name: process.Ext.malware_classification.identifier + level: custom + type: keyword + ignore_above: 1024 + description: The model's unique identifier. + default_field: false + - name: process.Ext.malware_classification.score + level: custom + type: double + description: The score produced by the classification model. + default_field: false + - name: process.Ext.malware_classification.threshold + level: custom + type: double + description: The score threshold for the model. Files that score above this + threshold are considered malicious. + default_field: false + - name: process.Ext.malware_classification.upx_packed + level: custom + type: boolean + description: Whether UPX packing was detected. + default_field: false + - name: process.Ext.malware_classification.version + level: custom + type: keyword + ignore_above: 1024 + description: The version of the model used. + default_field: false + - name: process.Ext.services + level: custom + type: keyword + ignore_above: 1024 + description: Services running in this process. + default_field: false + - name: process.Ext.session + level: custom + type: keyword + ignore_above: 1024 + description: Session information for the current process + default_field: false + - name: process.Ext.token.domain + level: custom + type: keyword + ignore_above: 1024 + description: Domain of token user. + default_field: false + - name: process.Ext.token.elevation + level: custom + type: boolean + description: Whether the token is elevated or not + default_field: false + - name: process.Ext.token.elevation_type + level: custom + type: keyword + ignore_above: 1024 + description: What level of elevation the token has + example: one of "default", "full", "limited" + default_field: false + - name: process.Ext.token.impersonation_level + level: custom + type: keyword + ignore_above: 1024 + description: Impersonation level. Only valid for impersonation tokens. + default_field: false + - name: process.Ext.token.integrity_level + level: custom + type: long + description: Numeric integrity level. + default_field: false + - name: process.Ext.token.integrity_level_name + level: custom + type: keyword + ignore_above: 1024 + description: Human readable integrity level. + example: one of "system", "high", "medium", "low", "untrusted" + default_field: false + - name: process.Ext.token.is_appcontainer + level: custom + type: boolean + description: Whether or not this is an appcontainer token. + default_field: false + - name: process.Ext.token.privileges + level: custom + type: nested + description: Array describing the privileges associated with the token. + default_field: false + - name: process.Ext.token.privileges.description + level: custom + type: keyword + ignore_above: 1024 + description: Description of the privilege. + default_field: false + - name: process.Ext.token.privileges.enabled + level: custom + type: boolean + description: Whether or not the privilege is enabled. + default_field: false + - name: process.Ext.token.privileges.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the privilege. + default_field: false + - name: process.Ext.token.sid + level: custom + type: keyword + ignore_above: 1024 + description: Token user's Security Identifier (SID). + default_field: false + - name: process.Ext.token.type + level: custom + type: keyword + ignore_above: 1024 + description: Type of the token, either primary or impersonation. + default_field: false + - name: process.Ext.token.user + level: custom + type: keyword + ignore_above: 1024 + description: Username of token owner. + default_field: false + - name: process.Ext.user + level: custom + type: keyword + ignore_above: 1024 + description: User associated with the running process. + default_field: false + - name: process.args + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: + - /usr/bin/ssh + - -l + - user + - 10.0.0.16 + default_field: false + - name: process.args_count + level: extended + type: long + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + default_field: false + - name: process.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: process.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: process.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: process.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: process.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: process.command_line + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + default_field: false + - name: process.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: process.executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + default_field: false + - name: process.exit_code + level: extended + type: long + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + default_field: false + - name: process.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: process.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: process.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: process.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: process.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + default_field: false + - name: process.parent.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: process.parent.Ext.code_signature + level: custom + type: nested + description: Nested version of ECS code_signature fieldset. + default_field: false + - name: process.parent.Ext.code_signature.exists + level: custom + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: process.parent.Ext.code_signature.status + level: custom + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: process.parent.Ext.code_signature.subject_name + level: custom + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: process.parent.Ext.code_signature.trusted + level: custom + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: process.parent.Ext.code_signature.valid + level: custom + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: process.parent.Ext.real + level: custom + type: object + object_type: keyword + description: The field set containing parent process info in case of any ppid + spoofing. + default_field: false + - name: process.parent.Ext.real.pid + level: custom + type: long + description: The ppid of the process that actually spawned the current process, + in case of ppid spoofing. + default_field: false + - name: process.parent.args + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of process arguments. + + May be filtered to protect sensitive information.' + example: + - ssh + - -l + - user + - 10.0.0.16 + default_field: false + - name: process.parent.args_count + level: extended + type: long + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + default_field: false + - name: process.parent.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: process.parent.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: process.parent.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: process.parent.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: process.parent.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: process.parent.command_line + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + default_field: false + - name: process.parent.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: process.parent.executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + default_field: false + - name: process.parent.exit_code + level: extended + type: long + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + default_field: false + - name: process.parent.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: process.parent.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: process.parent.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: process.parent.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: process.parent.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + default_field: false + - name: process.parent.pgid + level: extended + type: long + format: string + description: Identifier of the group of processes the process belongs to. + default_field: false + - name: process.parent.pid + level: core + type: long + format: string + description: Process id. + example: 4242 + default_field: false + - name: process.parent.ppid + level: extended + type: long + format: string + description: Parent process' pid. + example: 4241 + default_field: false + - name: process.parent.start + level: extended + type: date + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + default_field: false + - name: process.parent.thread.id + level: extended + type: long + format: string + description: Thread ID. + example: 4242 + default_field: false + - name: process.parent.thread.name + level: extended + type: keyword + ignore_above: 1024 + description: Thread name. + example: thread-0 + default_field: false + - name: process.parent.title + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + default_field: false + - name: process.parent.uptime + level: extended + type: long + description: Seconds the process has been up. + example: 1325 + default_field: false + - name: process.parent.working_directory + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: The working directory of the process. + example: /home/alice + default_field: false + - name: process.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: process.pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: process.pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: process.pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: process.pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: process.pgid + level: extended + type: long + format: string + description: Identifier of the group of processes the process belongs to. + default_field: false + - name: process.pid + level: core + type: long + format: string + description: Process id. + example: 4242 + default_field: false + - name: process.ppid + level: extended + type: long + format: string + description: Parent process' pid. + example: 4241 + default_field: false + - name: process.start + level: extended + type: date + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + default_field: false + - name: process.thread.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: process.thread.Ext.call_stack.instruction_pointer + level: custom + type: keyword + ignore_above: 1024 + description: The return address of this stack frame. + default_field: false + - name: process.thread.Ext.call_stack.memory_section.address + level: custom + type: keyword + ignore_above: 1024 + description: Base address of the memory region containing `instruction_pointer`. Corresponds + to `MEMORY_BASIC_INFORMATION.BaseAddress` + default_field: false + - name: process.thread.Ext.call_stack.memory_section.protection + level: custom + type: keyword + ignore_above: 1024 + description: Memory protection flags of this memory region. Corresponds to + `MEMORY_BASIC_INFORMATION.Protect` + default_field: false + - name: process.thread.Ext.call_stack.memory_section.size + level: custom + type: keyword + ignore_above: 1024 + description: Size of the memory region containing `instruction_pointer`. Corresponds + to `MEMORY_BASIC_INFORMATION.RegionSize` + default_field: false + - name: process.thread.Ext.call_stack.module_path + level: custom + type: keyword + ignore_above: 1024 + description: The DLL/module containing `instruction_pointer`. + default_field: false + - name: process.thread.Ext.call_stack.rva + level: custom + type: keyword + ignore_above: 1024 + description: The relative virtual address of `instruction_pointer`. Computed + as `instruction_pointer - MEMORY_BASIC_INFORMATION.AllocationBase`. + default_field: false + - name: process.thread.Ext.call_stack.symbol_info + level: custom + type: keyword + ignore_above: 1024 + description: The nearest symbol for `instruction_pointer`. + default_field: false + - name: process.thread.Ext.service + level: custom + type: keyword + ignore_above: 1024 + description: Service associated with the thread. + example: VaultSvc + default_field: false + - name: process.thread.Ext.start + level: custom + type: date + description: The time the thread started. + example: '2016-05-23T08:05:34.853Z' + default_field: false + - name: process.thread.Ext.start_address + level: custom + type: keyword + ignore_above: 1024 + description: Memory address where the thread began execution. + example: 5442508 + default_field: false + - name: process.thread.Ext.start_address_module + level: custom + type: keyword + ignore_above: 1024 + description: The dll/module where the thread began execution. + example: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe + default_field: false + - name: process.thread.Ext.token.domain + level: custom + type: keyword + ignore_above: 1024 + description: Domain of token user. + default_field: false + - name: process.thread.Ext.token.elevation + level: custom + type: boolean + description: Whether the token is elevated or not + default_field: false + - name: process.thread.Ext.token.elevation_type + level: custom + type: keyword + ignore_above: 1024 + description: What level of elevation the token has + example: one of "default", "full", "limited" + default_field: false + - name: process.thread.Ext.token.impersonation_level + level: custom + type: keyword + ignore_above: 1024 + description: Impersonation level. Only valid for impersonation tokens. + default_field: false + - name: process.thread.Ext.token.integrity_level + level: custom + type: long + description: Numeric integrity level. + default_field: false + - name: process.thread.Ext.token.integrity_level_name + level: custom + type: keyword + ignore_above: 1024 + description: Human readable integrity level. + example: one of "system", "high", "medium", "low", "untrusted" + default_field: false + - name: process.thread.Ext.token.is_appcontainer + level: custom + type: boolean + description: Whether or not this is an appcontainer token. + default_field: false + - name: process.thread.Ext.token.privileges + level: custom + type: nested + description: Array describing the privileges associated with the token. + default_field: false + - name: process.thread.Ext.token.privileges.description + level: custom + type: keyword + ignore_above: 1024 + description: Description of the privilege. + default_field: false + - name: process.thread.Ext.token.privileges.enabled + level: custom + type: boolean + description: Whether or not the privilege is enabled. + default_field: false + - name: process.thread.Ext.token.privileges.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the privilege. + default_field: false + - name: process.thread.Ext.token.sid + level: custom + type: keyword + ignore_above: 1024 + description: Token user's Security Identifier (SID). + default_field: false + - name: process.thread.Ext.token.type + level: custom + type: keyword + ignore_above: 1024 + description: Type of the token, either primary or impersonation. + default_field: false + - name: process.thread.Ext.token.user + level: custom + type: keyword + ignore_above: 1024 + description: Username of token owner. + default_field: false + - name: process.thread.Ext.uptime + level: custom + type: long + description: Seconds since thread started. + default_field: false + - name: process.thread.id + level: extended + type: long + format: string + description: Thread ID. + example: 4242 + default_field: false + - name: process.thread.name + level: extended + type: keyword + ignore_above: 1024 + description: Thread name. + example: thread-0 + default_field: false + - name: process.title + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + default_field: false + - name: process.uptime + level: extended + type: long + description: Seconds the process has been up. + example: 1325 + default_field: false + - name: process.working_directory + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: The working directory of the process. + example: /home/alice + default_field: false +- name: agent + title: Agent + group: 2 + description: 'The agent fields contain the data about the software entity, if + any, that collects, detects, or observes events on a host, or takes measurements + on a host. + + Examples include Beats. Agents may also run on observers. ECS agent.* fields + shall be populated with details of the agent running on the host or observer + where the event happened or the measurement was taken.' + footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. + For APM, it is the agent running in the app/service. The agent information does + not change if data is sent through queuing systems like Kafka, Redis, or processing + systems such as Logstash or APM Server.' + type: group + fields: + - name: ephemeral_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Ephemeral identifier of this agent (if one exists). + + This id normally changes across restarts, but `agent.id` does not.' + example: 8a4f500f + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique identifier of this agent (if one exists). + + Example: For Beats this would be beat.id.' + example: 8a4f500d + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Custom name of the agent. + + This is a name that can be given to an agent. This can be helpful if for example + two Filebeat instances are running on the same host but a human readable separation + is needed on which Filebeat instance data is coming from. + + If no name is given, the name is often left empty.' + example: foo + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of the agent. + + The agent type stays always the same and should be given by the agent used. + In case of Filebeat the agent would always be Filebeat also if two Filebeat + instances are run on the same machine.' + example: filebeat + - name: version + level: core + type: keyword + ignore_above: 1024 + description: Version of the agent. + example: 6.0.0-rc2 +- name: dataset + title: dataset + group: 2 + description: Fields describing the new indexing strategy -- + type: group + fields: + - name: name + level: custom + type: constant_keyword + description: Dataset name. + default_field: false + - name: namespace + level: custom + type: constant_keyword + description: Dataset namespace. + default_field: false + - name: type + level: custom + type: constant_keyword + description: Dataset type. + default_field: false +- name: dll + title: DLL + group: 2 + description: 'These fields contain information about code libraries dynamically + loaded into processes. + + + Many operating systems refer to "shared code libraries" with different names, + but this field set refers to all of the following: + + * Dynamic-link library (`.dll`) commonly used on Windows + + * Shared Object (`.so`) commonly used on Unix-like operating systems + + * Dynamic library (`.dylib`) commonly used on macOS' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.compile_time + level: custom + type: date + description: Timestamp from when the module was compiled. + default_field: false + - name: Ext.malware_classification.features.data.buffer + level: custom + type: keyword + ignore_above: 1024 + description: The features extracted from this file and evaluated by the model. Usually + an array of floats. Likely zlib-encoded. + default_field: false + - name: Ext.malware_classification.features.data.decompressed_size + level: custom + type: integer + description: The decompressed size of buffer. + default_field: false + - name: Ext.malware_classification.features.data.encoding + level: custom + type: keyword + ignore_above: 1024 + description: The encoding of buffer (e.g. zlib). + default_field: false + - name: Ext.malware_classification.identifier + level: custom + type: keyword + ignore_above: 1024 + description: The model's unique identifier. + default_field: false + - name: Ext.malware_classification.score + level: custom + type: double + description: The score produced by the classification model. + default_field: false + - name: Ext.malware_classification.threshold + level: custom + type: double + description: The score threshold for the model. Files that score above this + threshold are considered malicious. + default_field: false + - name: Ext.malware_classification.upx_packed + level: custom + type: boolean + description: Whether UPX packing was detected. + default_field: false + - name: Ext.malware_classification.version + level: custom + type: keyword + ignore_above: 1024 + description: The version of the model used. + default_field: false + - name: Ext.mapped_address + level: custom + type: keyword + ignore_above: 1024 + description: The base address where this module is loaded. + default_field: false + - name: Ext.mapped_size + level: custom + type: long + description: The size of this module's memory mapping, in bytes. + default_field: false + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the library. + + This generally maps to the name of the file on disk.' + example: kernel32.dll + default_field: false + - name: path + level: extended + type: keyword + ignore_above: 1024 + description: Full file path of the library. + example: C:\Windows\System32\kernel32.dll + default_field: false + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false +- name: ecs + title: ECS + group: 2 + description: Meta-information specific to ECS. + type: group + fields: + - name: version + level: core + required: true + type: keyword + ignore_above: 1024 + description: 'ECS version this event conforms to. `ecs.version` is a required + field and must exist in all events. + + When querying across multiple indices -- which may conform to slightly different + ECS versions -- this field lets integrations adjust to the schema version + of the events.' + example: 1.0.0 +- name: elastic + title: Elastic + group: 2 + description: Holds fields and properties of data points and concepts in the elastic + domain or namespace. + type: group + fields: + - name: agent + level: custom + type: object + object_type: keyword + description: The agent fields contain data about the Elastic Agent. The Elastic + Agent is the management agent that manages other agents or process on the + host. + default_field: false + - name: agent.id + level: custom + type: keyword + ignore_above: 1024 + description: Unique identifier of this elastic agent (if one exists). + example: c2a9093e-e289-4c0a-aa44-8c32a414fa7a + default_field: false +- name: event + title: Event + group: 2 + description: 'The event fields are used for context information about the log + or metric event itself. + + A log is defined as an event containing details of something that happened. + Log events must include the time at which the thing happened. Examples of log + events include a process starting on a host, a network packet being sent from + a source to a destination, or a network connection between a client and a server + being initiated or closed. A metric is defined as an event containing one or + more numerical measurements and the time at which the measurement was taken. + Examples of metric events include memory pressure measured on a host and device + temperature. See the `event.kind` definition in this section for additional + details about metric and state events.' + type: group + fields: + - name: action + level: core + type: keyword + ignore_above: 1024 + description: 'The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is + normally defined by the implementer.' + example: user-password-change + - name: category + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + second level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process + activity. This field is closely related to `event.type`, which is used as + a subcategory. + + This field is an array. This will allow proper categorization of some events + that fall in multiple categories.' + example: authentication + - name: created + level: core + type: date + description: 'event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' + - name: dataset + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes + from. + + It''s recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name.' + example: apache.access + - name: hash + level: extended + type: keyword + ignore_above: 1024 + description: Hash (perhaps logstash fingerprint) of raw field to be able to + demonstrate log integrity. + example: 123456789012345678901234567890ABCD + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique ID to describe the event. + example: 8a4f500d + - name: ingested + level: core + type: date + description: 'Timestamp when an event arrived in the central data store. + + This is different from `@timestamp`, which is when the event originally occurred. It''s + also different from `event.created`, which is meant to capture the first time + an agent saw the event. + + In normal conditions, assuming no tampering, the timestamps should chronologically + look like this: `@timestamp` < `event.created` < `event.ingested`.' + example: '2016-05-23T08:05:35.101Z' + default_field: false + - name: kind + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + highest level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the + event contains, without being specific to the contents of the event. For example, + values of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, + it may also help understand whether the data coming in at a regular interval + or not.' + example: alert + - name: module + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module.' + example: apache + - name: outcome + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + lowest level in the ECS category hierarchy. + + `event.outcome` simply denotes whether the event represents a success or a + failure from the perspective of the entity that produced the event. + + Note that when a single transaction is described in multiple events, each + event may populate different values of `event.outcome`, according to their + perspective. + + Also note that in the case of a compound event (a single event that contains + multiple logical events), this field should be populated with the value that + best captures the overall success or failure from the perspective of the event + producer. + + Further note that not all events will have an associated outcome. For example, + this field is generally not populated for metric events, events with `event.type:info`, + or any events for which an outcome does not make logical sense.' + example: success + - name: sequence + level: extended + type: long + format: string + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regardless of the timestamp precision.' + - name: severity + level: core + type: long + format: string + description: 'The numeric severity of the event according to your event source. + + What the different severity values mean can be different between sources and + use cases. It''s up to the implementer to make sure severities are consistent + across events from the same source. + + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` + is meant to represent the severity according to the event source (e.g. firewall, + IDS). If the event source does not publish its own severity, you may optionally + copy the `log.syslog.severity.code` to `event.severity`.' + example: 7 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + third level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along + with the `event.category` field values, enables filtering events down to a + level appropriate for single visualization. + + This field is an array. This will allow proper categorization of some events + that fall in multiple event types.' +- name: file + title: File + group: 2 + description: 'A file is defined as a set of information that has been created + on, or has existed on a filesystem. + + File objects can be associated with host events, network events, and/or file + events (e.g., those produced by File Integrity Monitoring [FIM] products or + services). File fields provide details about the affected file associated with + the event or metric.' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.code_signature + level: custom + type: nested + description: Nested version of ECS code_signature fieldset. + default_field: false + - name: Ext.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: Ext.code_signature.status + level: custom + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: Ext.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: Ext.code_signature.trusted + level: custom + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: Ext.code_signature.valid + level: custom + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: Ext.entry_modified + level: custom + type: double + description: Time of last status change. See `st_ctim` member of `struct stat`. + default_field: false + - name: Ext.macro.code_page + level: custom + type: long + description: Identifies the character encoding used for this macro. https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers + default_field: false + - name: Ext.macro.collection + level: custom + type: object + object_type: keyword + description: Object containing hashes for the macro collection. + default_field: false + - name: Ext.macro.collection.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: Ext.macro.collection.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: Ext.macro.collection.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: Ext.macro.collection.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: Ext.macro.errors + level: custom + type: nested + description: Errors that occurred when parsing this document file. + default_field: false + - name: Ext.macro.errors.count + level: custom + type: long + description: Number of times this error that occurred. + default_field: false + - name: Ext.macro.errors.error_type + level: custom + type: keyword + ignore_above: 1024 + description: The type of parsing error that occurred. + default_field: false + - name: Ext.macro.file_extension + level: custom + type: keyword + ignore_above: 1024 + description: The extension of the file containing this macro (e.g. .docm) + default_field: false + - name: Ext.macro.project_file + level: custom + type: object + object_type: keyword + description: Metadata about the corresponding VBA project file + default_field: false + - name: Ext.macro.project_file.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: Ext.macro.project_file.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: Ext.macro.project_file.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: Ext.macro.project_file.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: Ext.macro.stream + level: custom + type: nested + description: Streams associated with the document. + default_field: false + - name: Ext.macro.stream.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: Ext.macro.stream.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: Ext.macro.stream.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: Ext.macro.stream.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: Ext.macro.stream.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the stream. + default_field: false + - name: Ext.macro.stream.raw_code + level: custom + type: keyword + ignore_above: 1024 + description: First 100KB of raw stream binary. Can be useful to analyze false + positives and malicious payloads. + default_field: false + - name: Ext.macro.stream.raw_code_size + level: custom + type: keyword + ignore_above: 1024 + description: The original stream size. Indicates whether stream.raw_code was + truncated. + default_field: false + - name: Ext.malware_classification.features.data.buffer + level: custom + type: keyword + ignore_above: 1024 + description: The features extracted from this file and evaluated by the model. Usually + an array of floats. Likely zlib-encoded. + default_field: false + - name: Ext.malware_classification.features.data.decompressed_size + level: custom + type: integer + description: The decompressed size of buffer. + default_field: false + - name: Ext.malware_classification.features.data.encoding + level: custom + type: keyword + ignore_above: 1024 + description: The encoding of buffer (e.g. zlib). + default_field: false + - name: Ext.malware_classification.identifier + level: custom + type: keyword + ignore_above: 1024 + description: The model's unique identifier. + default_field: false + - name: Ext.malware_classification.score + level: custom + type: double + description: The score produced by the classification model. + default_field: false + - name: Ext.malware_classification.threshold + level: custom + type: double + description: The score threshold for the model. Files that score above this + threshold are considered malicious. + default_field: false + - name: Ext.malware_classification.upx_packed + level: custom + type: boolean + description: Whether UPX packing was detected. + default_field: false + - name: Ext.malware_classification.version + level: custom + type: keyword + ignore_above: 1024 + description: The version of the model used. + default_field: false + - name: Ext.original + level: custom + type: object + object_type: keyword + description: Original file information during a modification event. + default_field: false + - name: Ext.original.gid + level: custom + type: keyword + ignore_above: 1024 + description: Primary group ID (GID) of the file. + example: '1001' + default_field: false + - name: Ext.original.group + level: custom + type: keyword + ignore_above: 1024 + description: Primary group name of the file. + example: alice + default_field: false + - name: Ext.original.mode + level: custom + type: keyword + ignore_above: 1024 + description: Original file mode prior to a modification event + default_field: false + - name: Ext.original.name + level: custom + type: keyword + ignore_above: 1024 + description: Original file name prior to a modification event + default_field: false + - name: Ext.original.owner + level: custom + type: keyword + ignore_above: 1024 + description: File owner's username. + example: alice + default_field: false + - name: Ext.original.path + level: custom + type: keyword + ignore_above: 1024 + description: Original file path prior to a modification event + default_field: false + - name: Ext.original.uid + level: custom + type: keyword + ignore_above: 1024 + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + default_field: false + - name: Ext.quarantine_path + level: custom + type: keyword + ignore_above: 1024 + description: Path on endpoint the quarantined file was originally. + default_field: false + - name: Ext.quarantine_result + level: custom + type: boolean + description: Boolean representing whether or not file quarantine succeeded. + default_field: false + - name: Ext.temp_file_path + level: custom + type: keyword + ignore_above: 1024 + description: Path on endpoint where a copy of the file is being stored. Used + to make ephemeral files retrievable. + default_field: false + - name: Ext.windows + level: custom + type: object + object_type: keyword + description: Platform-specific Windows fields + default_field: false + - name: Ext.windows.zone_identifier + level: custom + type: keyword + ignore_above: 1024 + description: Windows zone identifier for a file + default_field: false + - name: accessed + level: extended + type: date + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + - name: attributes + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + default_field: false + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: created + level: extended + type: date + description: 'File creation time. + + Note that not all filesystems store the creation time.' + - name: ctime + level: extended + type: date + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + - name: device + level: extended + type: keyword + ignore_above: 1024 + description: Device that is the source of the file. + example: sda + - name: directory + level: extended + type: keyword + ignore_above: 1024 + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + - name: drive_letter + level: extended + type: keyword + ignore_above: 1 + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + default_field: false + - name: extension + level: extended + type: keyword + ignore_above: 1024 + description: File extension. + example: png + - name: gid + level: extended + type: keyword + ignore_above: 1024 + description: Primary group ID (GID) of the file. + example: '1001' + - name: group + level: extended + type: keyword + ignore_above: 1024 + description: Primary group name of the file. + example: alice + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + - name: hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + - name: inode + level: extended + type: keyword + ignore_above: 1024 + description: Inode representing the file in the filesystem. + example: '256383' + - name: mime_type + level: extended + type: keyword + ignore_above: 1024 + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + default_field: false + - name: mode + level: extended + type: keyword + ignore_above: 1024 + description: Mode of the file in octal representation. + example: '0640' + - name: mtime + level: extended + type: date + description: Last time the file content was modified. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the file including the extension, without the directory. + example: example.png + - name: owner + level: extended + type: keyword + ignore_above: 1024 + description: File owner's username. + example: alice + - name: path + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: size + level: extended + type: long + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + - name: target_path + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Target path for symlinks. + - name: type + level: extended + type: keyword + ignore_above: 1024 + description: File type (file, dir, or symlink). + example: file + - name: uid + level: extended + type: keyword + ignore_above: 1024 + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' +- name: group + title: Group + group: 2 + description: The group fields are meant to represent groups that are relevant + to the event. + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.real + level: custom + type: object + object_type: keyword + description: Group info prior to any setgid operations. + default_field: false + - name: Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the + event happened, or from which the measurement was taken. Host types include + hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain + or NetBIOS domain name. For Linux this could be the domain of the host''s + LDAP provider.' + example: CONTOSO + default_field: false + - name: geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + - name: geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + - name: geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + - name: geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + - name: geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + - name: geo.name + level: extended + type: keyword + ignore_above: 1024 + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + - name: geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + - name: geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified + domain name, or a name specified by the user. The sender decides which value + to use.' + - name: os.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: os.Ext.variant + level: custom + type: keyword + ignore_above: 1024 + description: A string value or phrase that further aid to classify or qualify + the operating system (OS). For example the distribution for a Linux OS will + be entered in this field. + example: Ubuntu + default_field: false + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, including the version or code name. + example: Mac OS Mojave + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, + this could be the container, for example, or other information meaningful + in your environment.' + - name: uptime + level: extended + type: long + description: Seconds the host has been up. + example: 1325 + - name: user.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: user.Ext.real + level: custom + type: object + object_type: keyword + description: User info prior to any setuid operations. + default_field: false + - name: user.Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: One or multiple unique identifiers of the user. + default_field: false + - name: user.Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Short name or login of the user. + default_field: false + - name: user.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: user.email + level: extended + type: keyword + ignore_above: 1024 + description: User email address. + - name: user.full_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: User's full name, if available. + example: Albert Einstein + - name: user.group.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: user.group.Ext.real + level: custom + type: object + object_type: keyword + description: Group info prior to any setgid operations. + default_field: false + - name: user.group.Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: user.group.Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: user.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: user.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: user.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: user.hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + - name: user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifiers of the user. + - name: user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert +- name: process + title: Process + group: 2 + description: 'These fields contain information about a process. + + These fields can help you correlate metrics information with a process id/name + from a log message. The `process.pid` often stays in the metric itself and + is copied to the global field for correlation.' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.ancestry + level: custom + type: keyword + ignore_above: 1024 + description: An array of entity_ids indicating the ancestors for this event + default_field: false + - name: Ext.authentication_id + level: custom + type: keyword + ignore_above: 1024 + description: Process authentication ID + default_field: false + - name: Ext.code_signature + level: custom + type: nested + description: Nested version of ECS code_signature fieldset. + default_field: false + - name: Ext.code_signature.exists + level: custom + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: Ext.code_signature.status + level: custom + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: Ext.code_signature.subject_name + level: custom + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: Ext.code_signature.trusted + level: custom + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: Ext.code_signature.valid + level: custom + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: Ext.malware_classification.features.data.buffer + level: custom + type: keyword + ignore_above: 1024 + description: The features extracted from this file and evaluated by the model. Usually + an array of floats. Likely zlib-encoded. + default_field: false + - name: Ext.malware_classification.features.data.decompressed_size + level: custom + type: integer + description: The decompressed size of buffer. + default_field: false + - name: Ext.malware_classification.features.data.encoding + level: custom + type: keyword + ignore_above: 1024 + description: The encoding of buffer (e.g. zlib). + default_field: false + - name: Ext.malware_classification.identifier + level: custom + type: keyword + ignore_above: 1024 + description: The model's unique identifier. + default_field: false + - name: Ext.malware_classification.score + level: custom + type: double + description: The score produced by the classification model. + default_field: false + - name: Ext.malware_classification.threshold + level: custom + type: double + description: The score threshold for the model. Files that score above this + threshold are considered malicious. + default_field: false + - name: Ext.malware_classification.upx_packed + level: custom + type: boolean + description: Whether UPX packing was detected. + default_field: false + - name: Ext.malware_classification.version + level: custom + type: keyword + ignore_above: 1024 + description: The version of the model used. + default_field: false + - name: Ext.services + level: custom + type: keyword + ignore_above: 1024 + description: Services running in this process. + default_field: false + - name: Ext.session + level: custom + type: keyword + ignore_above: 1024 + description: Session information for the current process + default_field: false + - name: Ext.token.domain + level: custom + type: keyword + ignore_above: 1024 + description: Domain of token user. + default_field: false + - name: Ext.token.elevation + level: custom + type: boolean + description: Whether the token is elevated or not + default_field: false + - name: Ext.token.elevation_type + level: custom + type: keyword + ignore_above: 1024 + description: What level of elevation the token has + example: one of "default", "full", "limited" + default_field: false + - name: Ext.token.impersonation_level + level: custom + type: keyword + ignore_above: 1024 + description: Impersonation level. Only valid for impersonation tokens. + default_field: false + - name: Ext.token.integrity_level + level: custom + type: long + description: Numeric integrity level. + default_field: false + - name: Ext.token.integrity_level_name + level: custom + type: keyword + ignore_above: 1024 + description: Human readable integrity level. + example: one of "system", "high", "medium", "low", "untrusted" + default_field: false + - name: Ext.token.is_appcontainer + level: custom + type: boolean + description: Whether or not this is an appcontainer token. + default_field: false + - name: Ext.token.privileges + level: custom + type: nested + description: Array describing the privileges associated with the token. + default_field: false + - name: Ext.token.privileges.description + level: custom + type: keyword + ignore_above: 1024 + description: Description of the privilege. + default_field: false + - name: Ext.token.privileges.enabled + level: custom + type: boolean + description: Whether or not the privilege is enabled. + default_field: false + - name: Ext.token.privileges.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the privilege. + default_field: false + - name: Ext.token.sid + level: custom + type: keyword + ignore_above: 1024 + description: Token user's Security Identifier (SID). + default_field: false + - name: Ext.token.type + level: custom + type: keyword + ignore_above: 1024 + description: Type of the token, either primary or impersonation. + default_field: false + - name: Ext.token.user + level: custom + type: keyword + ignore_above: 1024 + description: Username of token owner. + default_field: false + - name: Ext.user + level: custom + type: keyword + ignore_above: 1024 + description: User associated with the running process. + default_field: false + - name: args + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: + - /usr/bin/ssh + - -l + - user + - 10.0.0.16 + - name: args_count + level: extended + type: long + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + default_field: false + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: command_line + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + default_field: false + - name: entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + - name: exit_code + level: extended + type: long + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + default_field: false + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + - name: hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + - name: parent.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: parent.Ext.code_signature + level: custom + type: nested + description: Nested version of ECS code_signature fieldset. + default_field: false + - name: parent.Ext.code_signature.exists + level: custom + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: parent.Ext.code_signature.status + level: custom + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: parent.Ext.code_signature.subject_name + level: custom + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: parent.Ext.code_signature.trusted + level: custom + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: parent.Ext.code_signature.valid + level: custom + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: parent.Ext.real + level: custom + type: object + object_type: keyword + description: The field set containing parent process info in case of any ppid + spoofing. + default_field: false + - name: parent.Ext.real.pid + level: custom + type: long + description: The ppid of the process that actually spawned the current process, + in case of ppid spoofing. + default_field: false + - name: parent.args + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of process arguments. + + May be filtered to protect sensitive information.' + example: + - ssh + - -l + - user + - 10.0.0.16 + default_field: false + - name: parent.args_count + level: extended + type: long + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + default_field: false + - name: parent.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: parent.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: parent.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: parent.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: parent.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: parent.command_line + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + default_field: false + - name: parent.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: parent.executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + default_field: false + - name: parent.exit_code + level: extended + type: long + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + default_field: false + - name: parent.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: parent.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: parent.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: parent.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: parent.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + default_field: false + - name: parent.pgid + level: extended + type: long + format: string + description: Identifier of the group of processes the process belongs to. + default_field: false + - name: parent.pid + level: core + type: long + format: string + description: Process id. + example: 4242 + default_field: false + - name: parent.ppid + level: extended + type: long + format: string + description: Parent process' pid. + example: 4241 + default_field: false + - name: parent.start + level: extended + type: date + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + default_field: false + - name: parent.thread.id + level: extended + type: long + format: string + description: Thread ID. + example: 4242 + default_field: false + - name: parent.thread.name + level: extended + type: keyword + ignore_above: 1024 + description: Thread name. + example: thread-0 + default_field: false + - name: parent.title + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + default_field: false + - name: parent.uptime + level: extended + type: long + description: Seconds the process has been up. + example: 1325 + default_field: false + - name: parent.working_directory + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: The working directory of the process. + example: /home/alice + default_field: false + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: pgid + level: extended + type: long + format: string + description: Identifier of the group of processes the process belongs to. + - name: pid + level: core + type: long + format: string + description: Process id. + example: 4242 + - name: ppid + level: extended + type: long + format: string + description: Parent process' pid. + example: 4241 + - name: start + level: extended + type: date + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + - name: thread.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: thread.Ext.call_stack.instruction_pointer + level: custom + type: keyword + ignore_above: 1024 + description: The return address of this stack frame. + default_field: false + - name: thread.Ext.call_stack.memory_section.address + level: custom + type: keyword + ignore_above: 1024 + description: Base address of the memory region containing `instruction_pointer`. Corresponds + to `MEMORY_BASIC_INFORMATION.BaseAddress` + default_field: false + - name: thread.Ext.call_stack.memory_section.protection + level: custom + type: keyword + ignore_above: 1024 + description: Memory protection flags of this memory region. Corresponds to + `MEMORY_BASIC_INFORMATION.Protect` + default_field: false + - name: thread.Ext.call_stack.memory_section.size + level: custom + type: keyword + ignore_above: 1024 + description: Size of the memory region containing `instruction_pointer`. Corresponds + to `MEMORY_BASIC_INFORMATION.RegionSize` + default_field: false + - name: thread.Ext.call_stack.module_path + level: custom + type: keyword + ignore_above: 1024 + description: The DLL/module containing `instruction_pointer`. + default_field: false + - name: thread.Ext.call_stack.rva + level: custom + type: keyword + ignore_above: 1024 + description: The relative virtual address of `instruction_pointer`. Computed + as `instruction_pointer - MEMORY_BASIC_INFORMATION.AllocationBase`. + default_field: false + - name: thread.Ext.call_stack.symbol_info + level: custom + type: keyword + ignore_above: 1024 + description: The nearest symbol for `instruction_pointer`. + default_field: false + - name: thread.Ext.service + level: custom + type: keyword + ignore_above: 1024 + description: Service associated with the thread. + example: VaultSvc + default_field: false + - name: thread.Ext.start + level: custom + type: date + description: The time the thread started. + example: '2016-05-23T08:05:34.853Z' + default_field: false + - name: thread.Ext.start_address + level: custom + type: keyword + ignore_above: 1024 + description: Memory address where the thread began execution. + example: 5442508 + default_field: false + - name: thread.Ext.start_address_module + level: custom + type: keyword + ignore_above: 1024 + description: The dll/module where the thread began execution. + example: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe + default_field: false + - name: thread.Ext.token.domain + level: custom + type: keyword + ignore_above: 1024 + description: Domain of token user. + default_field: false + - name: thread.Ext.token.elevation + level: custom + type: boolean + description: Whether the token is elevated or not + default_field: false + - name: thread.Ext.token.elevation_type + level: custom + type: keyword + ignore_above: 1024 + description: What level of elevation the token has + example: one of "default", "full", "limited" + default_field: false + - name: thread.Ext.token.impersonation_level + level: custom + type: keyword + ignore_above: 1024 + description: Impersonation level. Only valid for impersonation tokens. + default_field: false + - name: thread.Ext.token.integrity_level + level: custom + type: long + description: Numeric integrity level. + default_field: false + - name: thread.Ext.token.integrity_level_name + level: custom + type: keyword + ignore_above: 1024 + description: Human readable integrity level. + example: one of "system", "high", "medium", "low", "untrusted" + default_field: false + - name: thread.Ext.token.is_appcontainer + level: custom + type: boolean + description: Whether or not this is an appcontainer token. + default_field: false + - name: thread.Ext.token.privileges + level: custom + type: nested + description: Array describing the privileges associated with the token. + default_field: false + - name: thread.Ext.token.privileges.description + level: custom + type: keyword + ignore_above: 1024 + description: Description of the privilege. + default_field: false + - name: thread.Ext.token.privileges.enabled + level: custom + type: boolean + description: Whether or not the privilege is enabled. + default_field: false + - name: thread.Ext.token.privileges.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the privilege. + default_field: false + - name: thread.Ext.token.sid + level: custom + type: keyword + ignore_above: 1024 + description: Token user's Security Identifier (SID). + default_field: false + - name: thread.Ext.token.type + level: custom + type: keyword + ignore_above: 1024 + description: Type of the token, either primary or impersonation. + default_field: false + - name: thread.Ext.token.user + level: custom + type: keyword + ignore_above: 1024 + description: Username of token owner. + default_field: false + - name: thread.Ext.uptime + level: custom + type: long + description: Seconds since thread started. + default_field: false + - name: thread.id + level: extended + type: long + format: string + description: Thread ID. + example: 4242 + - name: thread.name + level: extended + type: keyword + ignore_above: 1024 + description: Thread name. + example: thread-0 + - name: title + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + - name: uptime + level: extended + type: long + description: Seconds the process has been up. + example: 1325 + - name: working_directory + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: The working directory of the process. + example: /home/alice +- name: rule + title: Rule + group: 2 + description: 'Rule fields are used to capture the specifics of any observer or + agent rules that generate alerts or other notable events. + + Examples of data sources that would populate the rule fields include: network + admission control platforms, network or host IDS/IPS, network firewalls, web + application firewalls, url filters, endpoint detection and response (EDR) systems, + etc.' + type: group + fields: + - name: author + level: extended + type: keyword + ignore_above: 1024 + description: Name, organization, or pseudonym of the author or authors who created + the rule used to generate this event. + example: + - Star-Lord + default_field: false + - name: category + level: extended + type: keyword + ignore_above: 1024 + description: A categorization value keyword used by the entity using the rule + for detection of this event. + example: Attempted Information Leak + default_field: false + - name: description + level: extended + type: keyword + ignore_above: 1024 + description: The description of the rule generating the event. + example: Block requests to public DNS over HTTPS / TLS protocols + default_field: false + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: A rule ID that is unique within the scope of an agent, observer, + or other entity using the rule for detection of this event. + example: 101 + default_field: false + - name: license + level: extended + type: keyword + ignore_above: 1024 + description: Name of the license under which the rule used to generate this + event is made available. + example: Apache 2.0 + default_field: false + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: The name of the rule or signature generating the event. + example: BLOCK_DNS_over_TLS + default_field: false + - name: reference + level: extended + type: keyword + ignore_above: 1024 + description: 'Reference URL to additional information about the rule used to + generate this event. + + The URL can point to the vendor''s documentation about the rule. If that''s + not available, it can also be a link to a more general page describing this + type of alert.' + example: https://en.wikipedia.org/wiki/DNS_over_TLS + default_field: false + - name: ruleset + level: extended + type: keyword + ignore_above: 1024 + description: Name of the ruleset, policy, group, or parent category in which + the rule used to generate this event is a member. + example: Standard_Protocol_Filters + default_field: false + - name: uuid + level: extended + type: keyword + ignore_above: 1024 + description: A rule ID that is unique within the scope of a set or group of + agents, observers, or other entities using the rule for detection of this + event. + example: 1100110011 + default_field: false + - name: version + level: extended + type: keyword + ignore_above: 1024 + description: The version / revision of the rule being used for analysis. + example: 1.1 + default_field: false +- name: threat + title: Threat + group: 2 + description: 'Fields to classify events and alerts according to a threat taxonomy + such as the Mitre ATT&CK framework. + + These fields are for users to classify alerts from all of their sources (e.g. + IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to + capture the high level category of the threat (e.g. "impact"). The threat.technique.* + fields are meant to capture which kind of approach is used by this detected + threat, to accomplish the goal (e.g. "endpoint denial of service").' + type: group + fields: + - name: framework + level: extended + type: keyword + ignore_above: 1024 + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + - name: tactic.id + level: extended + type: keyword + ignore_above: 1024 + description: The id of tactic used by this threat. You can use the Mitre ATT&CK + Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ + ) + example: TA0040 + - name: tactic.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the type of tactic used by this threat. You can use the + Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ + ) + example: impact + - name: tactic.reference + level: extended + type: keyword + ignore_above: 1024 + description: The reference url of tactic used by this threat. You can use the + Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ + ) + example: https://attack.mitre.org/tactics/TA0040/ + - name: technique.id + level: extended + type: keyword + ignore_above: 1024 + description: The id of technique used by this tactic. You can use the Mitre + ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ + ) + example: T1499 + - name: technique.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: The name of technique used by this tactic. You can use the Mitre + ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ + ) + example: endpoint denial of service + - name: technique.reference + level: extended + type: keyword + ignore_above: 1024 + description: The reference url of technique used by this tactic. You can use + the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ + ) + example: https://attack.mitre.org/techniques/T1499/ +- name: user + title: User + group: 2 + description: 'The user fields describe information about the user that is relevant + to the event. + + Fields can have one entry or multiple entries. If a user has more than one id, + provide an array that includes all of them.' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.real + level: custom + type: object + object_type: keyword + description: User info prior to any setuid operations. + default_field: false + - name: Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: One or multiple unique identifiers of the user. + default_field: false + - name: Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Short name or login of the user. + default_field: false + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: email + level: extended + type: keyword + ignore_above: 1024 + description: User email address. + - name: full_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: User's full name, if available. + example: Albert Einstein + - name: group.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: group.Ext.real + level: custom + type: object + object_type: keyword + description: Group info prior to any setgid operations. + default_field: false + - name: group.Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: group.Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifiers of the user. + - name: name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert diff --git a/packages/endpoint/0.5.0/dataset/alerts/manifest.yml b/packages/endpoint/0.5.0/dataset/alerts/manifest.yml new file mode 100644 index 0000000000..8cbd721fb0 --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/alerts/manifest.yml @@ -0,0 +1,3 @@ +title: Endpoint Alerts + +type: logs diff --git a/packages/endpoint/0.5.0/dataset/events/fields/base-fields.yml b/packages/endpoint/0.5.0/dataset/events/fields/base-fields.yml new file mode 100644 index 0000000000..5a6e3c1d08 --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/events/fields/base-fields.yml @@ -0,0 +1,33 @@ +- name: stream.type + type: constant_keyword + description: > + Stream type +- name: stream.dataset + type: constant_keyword + description: > + Stream dataset. +- name: stream.namespace + type: constant_keyword + description: > + Stream namespace. +- name: "@timestamp" + type: date + description: > + Event timestamp. + +- name: dataset.type + type: constant_keyword + description: > + Dataset type. +- name: dataset.name + type: constant_keyword + description: > + Dataset name. +- name: dataset.namespace + type: constant_keyword + description: > + Dataset namespace. +- name: "@timestamp" + type: date + description: > + Event timestamp. diff --git a/packages/endpoint/0.5.0/dataset/events/fields/fields.yml b/packages/endpoint/0.5.0/dataset/events/fields/fields.yml new file mode 100644 index 0000000000..d867fb11bc --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/events/fields/fields.yml @@ -0,0 +1,4329 @@ +- name: '@timestamp' + level: core + required: true + type: date + description: 'Date/time when the event originated. + + This is the date/time extracted from the event, typically representing when + the event was generated by the source. + + If the event source has no original timestamp, this value is typically populated + by the first time the event was received by the pipeline. + + Required field for all events.' + example: '2016-05-23T08:05:34.853Z' +- name: message + level: core + type: text + description: 'For log events the message field contains the log message, optimized + for viewing in a log viewer. + + For structured logs without an original message field, other fields can be concatenated + to form a human-readable summary of the event. + + If multiple messages exist, they can be combined into one message.' + example: Hello World +- name: Endpoint + title: Endpoint + group: 2 + description: Fields describing the state of the Elastic Endpoint when an event + occurs. + type: group + fields: + - name: policy + level: custom + type: object + object_type: keyword + description: The policy fields are used to hold information about applied policy. + default_field: false + - name: policy.applied + level: custom + type: object + object_type: keyword + description: information about the policy that is applied + default_field: false + - name: policy.applied.artifacts + level: custom + type: object + object_type: keyword + description: information about protection artifacts applied. + enabled: false + default_field: false + - name: policy.applied.artifacts.global + level: custom + type: object + object_type: keyword + description: information about global protection artifacts applied. + default_field: false + - name: policy.applied.artifacts.global.identifiers + level: custom + type: nested + description: the identifiers of global artifacts applied. + default_field: false + - name: policy.applied.artifacts.global.identifiers.name + level: custom + type: keyword + ignore_above: 1024 + description: the name of global artifact applied. + default_field: false + - name: policy.applied.artifacts.global.identifiers.sha256 + level: custom + type: keyword + ignore_above: 1024 + description: the sha256 of global artifacts applied. + default_field: false + - name: policy.applied.artifacts.global.version + level: custom + type: keyword + ignore_above: 1024 + description: the version of global artifacts applied. + default_field: false + - name: policy.applied.artifacts.user + level: custom + type: object + object_type: keyword + description: information about user protection artifacts applied. + default_field: false + - name: policy.applied.artifacts.user.identifiers + level: custom + type: nested + description: the identifiers of user artifacts applied. + default_field: false + - name: policy.applied.artifacts.user.identifiers.name + level: custom + type: keyword + ignore_above: 1024 + description: the name of user artifact applied. + default_field: false + - name: policy.applied.artifacts.user.identifiers.sha256 + level: custom + type: keyword + ignore_above: 1024 + description: the sha256 of user artifacts applied. + default_field: false + - name: policy.applied.artifacts.user.version + level: custom + type: keyword + ignore_above: 1024 + description: the version of user artifacts applied. + default_field: false + - name: policy.applied.id + level: custom + type: keyword + ignore_above: 1024 + description: the id of the applied policy + default_field: false + - name: policy.applied.name + level: custom + type: keyword + ignore_above: 1024 + description: the name of this applied policy + default_field: false + - name: policy.applied.status + level: custom + type: keyword + ignore_above: 1024 + description: the status of the applied policy + default_field: false + - name: policy.applied.version + level: custom + type: keyword + ignore_above: 1024 + description: the version of this applied policy + default_field: false +- name: Target + title: Target + group: 2 + description: 'These fields contain information about a target. + + These fields provide more context about the target process and thread that are + related to the data in the document. Useful in a security context where a target + process or thread may be acted on by another process or thread.' + type: group + fields: + - name: dll.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: dll.Ext.compile_time + level: custom + type: date + description: Timestamp from when the module was compiled. + default_field: false + - name: dll.Ext.malware_classification.features.data.buffer + level: custom + type: keyword + ignore_above: 1024 + description: The features extracted from this file and evaluated by the model. Usually + an array of floats. Likely zlib-encoded. + default_field: false + - name: dll.Ext.malware_classification.features.data.decompressed_size + level: custom + type: integer + description: The decompressed size of buffer. + default_field: false + - name: dll.Ext.malware_classification.features.data.encoding + level: custom + type: keyword + ignore_above: 1024 + description: The encoding of buffer (e.g. zlib). + default_field: false + - name: dll.Ext.malware_classification.identifier + level: custom + type: keyword + ignore_above: 1024 + description: The model's unique identifier. + default_field: false + - name: dll.Ext.malware_classification.score + level: custom + type: double + description: The score produced by the classification model. + default_field: false + - name: dll.Ext.malware_classification.threshold + level: custom + type: double + description: The score threshold for the model. Files that score above this + threshold are considered malicious. + default_field: false + - name: dll.Ext.malware_classification.upx_packed + level: custom + type: boolean + description: Whether UPX packing was detected. + default_field: false + - name: dll.Ext.malware_classification.version + level: custom + type: keyword + ignore_above: 1024 + description: The version of the model used. + default_field: false + - name: dll.Ext.mapped_address + level: custom + type: keyword + ignore_above: 1024 + description: The base address where this module is loaded. + default_field: false + - name: dll.Ext.mapped_size + level: custom + type: long + description: The size of this module's memory mapping, in bytes. + default_field: false + - name: dll.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: dll.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: dll.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: dll.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: dll.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: dll.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: dll.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: dll.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: dll.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: dll.name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the library. + + This generally maps to the name of the file on disk.' + example: kernel32.dll + default_field: false + - name: dll.path + level: extended + type: keyword + ignore_above: 1024 + description: Full file path of the library. + example: C:\Windows\System32\kernel32.dll + default_field: false + - name: dll.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: dll.pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: dll.pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: dll.pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: dll.pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: process.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: process.Ext.ancestry + level: custom + type: keyword + ignore_above: 1024 + description: An array of entity_ids indicating the ancestors for this event + default_field: false + - name: process.Ext.authentication_id + level: custom + type: keyword + ignore_above: 1024 + description: Process authentication ID + default_field: false + - name: process.Ext.code_signature + level: custom + type: nested + description: Nested version of ECS code_signature fieldset. + default_field: false + - name: process.Ext.code_signature.exists + level: custom + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: process.Ext.code_signature.status + level: custom + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: process.Ext.code_signature.subject_name + level: custom + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: process.Ext.code_signature.trusted + level: custom + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: process.Ext.code_signature.valid + level: custom + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: process.Ext.malware_classification.features.data.buffer + level: custom + type: keyword + ignore_above: 1024 + description: The features extracted from this file and evaluated by the model. Usually + an array of floats. Likely zlib-encoded. + default_field: false + - name: process.Ext.malware_classification.features.data.decompressed_size + level: custom + type: integer + description: The decompressed size of buffer. + default_field: false + - name: process.Ext.malware_classification.features.data.encoding + level: custom + type: keyword + ignore_above: 1024 + description: The encoding of buffer (e.g. zlib). + default_field: false + - name: process.Ext.malware_classification.identifier + level: custom + type: keyword + ignore_above: 1024 + description: The model's unique identifier. + default_field: false + - name: process.Ext.malware_classification.score + level: custom + type: double + description: The score produced by the classification model. + default_field: false + - name: process.Ext.malware_classification.threshold + level: custom + type: double + description: The score threshold for the model. Files that score above this + threshold are considered malicious. + default_field: false + - name: process.Ext.malware_classification.upx_packed + level: custom + type: boolean + description: Whether UPX packing was detected. + default_field: false + - name: process.Ext.malware_classification.version + level: custom + type: keyword + ignore_above: 1024 + description: The version of the model used. + default_field: false + - name: process.Ext.services + level: custom + type: keyword + ignore_above: 1024 + description: Services running in this process. + default_field: false + - name: process.Ext.session + level: custom + type: keyword + ignore_above: 1024 + description: Session information for the current process + default_field: false + - name: process.Ext.token.domain + level: custom + type: keyword + ignore_above: 1024 + description: Domain of token user. + default_field: false + - name: process.Ext.token.elevation + level: custom + type: boolean + description: Whether the token is elevated or not + default_field: false + - name: process.Ext.token.elevation_type + level: custom + type: keyword + ignore_above: 1024 + description: What level of elevation the token has + example: one of "default", "full", "limited" + default_field: false + - name: process.Ext.token.impersonation_level + level: custom + type: keyword + ignore_above: 1024 + description: Impersonation level. Only valid for impersonation tokens. + default_field: false + - name: process.Ext.token.integrity_level + level: custom + type: long + description: Numeric integrity level. + default_field: false + - name: process.Ext.token.integrity_level_name + level: custom + type: keyword + ignore_above: 1024 + description: Human readable integrity level. + example: one of "system", "high", "medium", "low", "untrusted" + default_field: false + - name: process.Ext.token.is_appcontainer + level: custom + type: boolean + description: Whether or not this is an appcontainer token. + default_field: false + - name: process.Ext.token.privileges + level: custom + type: nested + description: Array describing the privileges associated with the token. + default_field: false + - name: process.Ext.token.privileges.description + level: custom + type: keyword + ignore_above: 1024 + description: Description of the privilege. + default_field: false + - name: process.Ext.token.privileges.enabled + level: custom + type: boolean + description: Whether or not the privilege is enabled. + default_field: false + - name: process.Ext.token.privileges.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the privilege. + default_field: false + - name: process.Ext.token.sid + level: custom + type: keyword + ignore_above: 1024 + description: Token user's Security Identifier (SID). + default_field: false + - name: process.Ext.token.type + level: custom + type: keyword + ignore_above: 1024 + description: Type of the token, either primary or impersonation. + default_field: false + - name: process.Ext.token.user + level: custom + type: keyword + ignore_above: 1024 + description: Username of token owner. + default_field: false + - name: process.Ext.user + level: custom + type: keyword + ignore_above: 1024 + description: User associated with the running process. + default_field: false + - name: process.args + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: + - /usr/bin/ssh + - -l + - user + - 10.0.0.16 + default_field: false + - name: process.args_count + level: extended + type: long + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + default_field: false + - name: process.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: process.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: process.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: process.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: process.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: process.command_line + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + default_field: false + - name: process.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: process.executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + default_field: false + - name: process.exit_code + level: extended + type: long + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + default_field: false + - name: process.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: process.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: process.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: process.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: process.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + default_field: false + - name: process.parent.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: process.parent.Ext.code_signature + level: custom + type: nested + description: Nested version of ECS code_signature fieldset. + default_field: false + - name: process.parent.Ext.code_signature.exists + level: custom + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: process.parent.Ext.code_signature.status + level: custom + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: process.parent.Ext.code_signature.subject_name + level: custom + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: process.parent.Ext.code_signature.trusted + level: custom + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: process.parent.Ext.code_signature.valid + level: custom + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: process.parent.Ext.real + level: custom + type: object + object_type: keyword + description: The field set containing parent process info in case of any ppid + spoofing. + default_field: false + - name: process.parent.Ext.real.pid + level: custom + type: long + description: The ppid of the process that actually spawned the current process, + in case of ppid spoofing. + default_field: false + - name: process.parent.args + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of process arguments. + + May be filtered to protect sensitive information.' + example: + - ssh + - -l + - user + - 10.0.0.16 + default_field: false + - name: process.parent.args_count + level: extended + type: long + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + default_field: false + - name: process.parent.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: process.parent.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: process.parent.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: process.parent.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: process.parent.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: process.parent.command_line + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + default_field: false + - name: process.parent.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: process.parent.executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + default_field: false + - name: process.parent.exit_code + level: extended + type: long + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + default_field: false + - name: process.parent.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: process.parent.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: process.parent.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: process.parent.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: process.parent.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + default_field: false + - name: process.parent.pgid + level: extended + type: long + format: string + description: Identifier of the group of processes the process belongs to. + default_field: false + - name: process.parent.pid + level: core + type: long + format: string + description: Process id. + example: 4242 + default_field: false + - name: process.parent.ppid + level: extended + type: long + format: string + description: Parent process' pid. + example: 4241 + default_field: false + - name: process.parent.start + level: extended + type: date + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + default_field: false + - name: process.parent.thread.id + level: extended + type: long + format: string + description: Thread ID. + example: 4242 + default_field: false + - name: process.parent.thread.name + level: extended + type: keyword + ignore_above: 1024 + description: Thread name. + example: thread-0 + default_field: false + - name: process.parent.title + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + default_field: false + - name: process.parent.uptime + level: extended + type: long + description: Seconds the process has been up. + example: 1325 + default_field: false + - name: process.parent.working_directory + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: The working directory of the process. + example: /home/alice + default_field: false + - name: process.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: process.pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: process.pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: process.pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: process.pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: process.pgid + level: extended + type: long + format: string + description: Identifier of the group of processes the process belongs to. + default_field: false + - name: process.pid + level: core + type: long + format: string + description: Process id. + example: 4242 + default_field: false + - name: process.ppid + level: extended + type: long + format: string + description: Parent process' pid. + example: 4241 + default_field: false + - name: process.start + level: extended + type: date + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + default_field: false + - name: process.thread.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: process.thread.Ext.call_stack.instruction_pointer + level: custom + type: keyword + ignore_above: 1024 + description: The return address of this stack frame. + default_field: false + - name: process.thread.Ext.call_stack.memory_section.address + level: custom + type: keyword + ignore_above: 1024 + description: Base address of the memory region containing `instruction_pointer`. Corresponds + to `MEMORY_BASIC_INFORMATION.BaseAddress` + default_field: false + - name: process.thread.Ext.call_stack.memory_section.protection + level: custom + type: keyword + ignore_above: 1024 + description: Memory protection flags of this memory region. Corresponds to + `MEMORY_BASIC_INFORMATION.Protect` + default_field: false + - name: process.thread.Ext.call_stack.memory_section.size + level: custom + type: keyword + ignore_above: 1024 + description: Size of the memory region containing `instruction_pointer`. Corresponds + to `MEMORY_BASIC_INFORMATION.RegionSize` + default_field: false + - name: process.thread.Ext.call_stack.module_path + level: custom + type: keyword + ignore_above: 1024 + description: The DLL/module containing `instruction_pointer`. + default_field: false + - name: process.thread.Ext.call_stack.rva + level: custom + type: keyword + ignore_above: 1024 + description: The relative virtual address of `instruction_pointer`. Computed + as `instruction_pointer - MEMORY_BASIC_INFORMATION.AllocationBase`. + default_field: false + - name: process.thread.Ext.call_stack.symbol_info + level: custom + type: keyword + ignore_above: 1024 + description: The nearest symbol for `instruction_pointer`. + default_field: false + - name: process.thread.Ext.service + level: custom + type: keyword + ignore_above: 1024 + description: Service associated with the thread. + example: VaultSvc + default_field: false + - name: process.thread.Ext.start + level: custom + type: date + description: The time the thread started. + example: '2016-05-23T08:05:34.853Z' + default_field: false + - name: process.thread.Ext.start_address + level: custom + type: keyword + ignore_above: 1024 + description: Memory address where the thread began execution. + example: 5442508 + default_field: false + - name: process.thread.Ext.start_address_module + level: custom + type: keyword + ignore_above: 1024 + description: The dll/module where the thread began execution. + example: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe + default_field: false + - name: process.thread.Ext.token.domain + level: custom + type: keyword + ignore_above: 1024 + description: Domain of token user. + default_field: false + - name: process.thread.Ext.token.elevation + level: custom + type: boolean + description: Whether the token is elevated or not + default_field: false + - name: process.thread.Ext.token.elevation_type + level: custom + type: keyword + ignore_above: 1024 + description: What level of elevation the token has + example: one of "default", "full", "limited" + default_field: false + - name: process.thread.Ext.token.impersonation_level + level: custom + type: keyword + ignore_above: 1024 + description: Impersonation level. Only valid for impersonation tokens. + default_field: false + - name: process.thread.Ext.token.integrity_level + level: custom + type: long + description: Numeric integrity level. + default_field: false + - name: process.thread.Ext.token.integrity_level_name + level: custom + type: keyword + ignore_above: 1024 + description: Human readable integrity level. + example: one of "system", "high", "medium", "low", "untrusted" + default_field: false + - name: process.thread.Ext.token.is_appcontainer + level: custom + type: boolean + description: Whether or not this is an appcontainer token. + default_field: false + - name: process.thread.Ext.token.privileges + level: custom + type: nested + description: Array describing the privileges associated with the token. + default_field: false + - name: process.thread.Ext.token.privileges.description + level: custom + type: keyword + ignore_above: 1024 + description: Description of the privilege. + default_field: false + - name: process.thread.Ext.token.privileges.enabled + level: custom + type: boolean + description: Whether or not the privilege is enabled. + default_field: false + - name: process.thread.Ext.token.privileges.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the privilege. + default_field: false + - name: process.thread.Ext.token.sid + level: custom + type: keyword + ignore_above: 1024 + description: Token user's Security Identifier (SID). + default_field: false + - name: process.thread.Ext.token.type + level: custom + type: keyword + ignore_above: 1024 + description: Type of the token, either primary or impersonation. + default_field: false + - name: process.thread.Ext.token.user + level: custom + type: keyword + ignore_above: 1024 + description: Username of token owner. + default_field: false + - name: process.thread.Ext.uptime + level: custom + type: long + description: Seconds since thread started. + default_field: false + - name: process.thread.id + level: extended + type: long + format: string + description: Thread ID. + example: 4242 + default_field: false + - name: process.thread.name + level: extended + type: keyword + ignore_above: 1024 + description: Thread name. + example: thread-0 + default_field: false + - name: process.title + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + default_field: false + - name: process.uptime + level: extended + type: long + description: Seconds the process has been up. + example: 1325 + default_field: false + - name: process.working_directory + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: The working directory of the process. + example: /home/alice + default_field: false +- name: agent + title: Agent + group: 2 + description: 'The agent fields contain the data about the software entity, if + any, that collects, detects, or observes events on a host, or takes measurements + on a host. + + Examples include Beats. Agents may also run on observers. ECS agent.* fields + shall be populated with details of the agent running on the host or observer + where the event happened or the measurement was taken.' + footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. + For APM, it is the agent running in the app/service. The agent information does + not change if data is sent through queuing systems like Kafka, Redis, or processing + systems such as Logstash or APM Server.' + type: group + fields: + - name: ephemeral_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Ephemeral identifier of this agent (if one exists). + + This id normally changes across restarts, but `agent.id` does not.' + example: 8a4f500f + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique identifier of this agent (if one exists). + + Example: For Beats this would be beat.id.' + example: 8a4f500d + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Custom name of the agent. + + This is a name that can be given to an agent. This can be helpful if for example + two Filebeat instances are running on the same host but a human readable separation + is needed on which Filebeat instance data is coming from. + + If no name is given, the name is often left empty.' + example: foo + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of the agent. + + The agent type stays always the same and should be given by the agent used. + In case of Filebeat the agent would always be Filebeat also if two Filebeat + instances are run on the same machine.' + example: filebeat + - name: version + level: core + type: keyword + ignore_above: 1024 + description: Version of the agent. + example: 6.0.0-rc2 +- name: destination + title: Destination + group: 2 + description: 'Destination fields describe details about the destination of a packet/event. + + Destination fields are usually populated in conjunction with source fields.' + type: group + fields: + - name: address + level: extended + type: keyword + ignore_above: 1024 + description: 'Some event destination addresses are defined ambiguously. The + event will sometimes list an IP, a domain or a unix socket. You should always + store the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + - name: bytes + level: core + type: long + format: bytes + description: Bytes sent from the destination to the source. + example: 184 + - name: domain + level: core + type: keyword + ignore_above: 1024 + description: Destination domain. + - name: ip + level: core + type: ip + description: 'IP address of the destination. + + Can be one or multiple IPv4 or IPv6 addresses.' + - name: packets + level: core + type: long + description: Packets sent from the destination to the source. + example: 12 + - name: port + level: core + type: long + format: string + description: Port of the destination. + - name: registered_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The highest registered destination domain, stripped of the subdomain. + + For example, the registered domain for "foo.google.com" is "google.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: google.com + - name: top_level_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for google.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk +- name: dll + title: DLL + group: 2 + description: 'These fields contain information about code libraries dynamically + loaded into processes. + + + Many operating systems refer to "shared code libraries" with different names, + but this field set refers to all of the following: + + * Dynamic-link library (`.dll`) commonly used on Windows + + * Shared Object (`.so`) commonly used on Unix-like operating systems + + * Dynamic library (`.dylib`) commonly used on macOS' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.compile_time + level: custom + type: date + description: Timestamp from when the module was compiled. + default_field: false + - name: Ext.malware_classification.features.data.buffer + level: custom + type: keyword + ignore_above: 1024 + description: The features extracted from this file and evaluated by the model. Usually + an array of floats. Likely zlib-encoded. + default_field: false + - name: Ext.malware_classification.features.data.decompressed_size + level: custom + type: integer + description: The decompressed size of buffer. + default_field: false + - name: Ext.malware_classification.features.data.encoding + level: custom + type: keyword + ignore_above: 1024 + description: The encoding of buffer (e.g. zlib). + default_field: false + - name: Ext.malware_classification.identifier + level: custom + type: keyword + ignore_above: 1024 + description: The model's unique identifier. + default_field: false + - name: Ext.malware_classification.score + level: custom + type: double + description: The score produced by the classification model. + default_field: false + - name: Ext.malware_classification.threshold + level: custom + type: double + description: The score threshold for the model. Files that score above this + threshold are considered malicious. + default_field: false + - name: Ext.malware_classification.upx_packed + level: custom + type: boolean + description: Whether UPX packing was detected. + default_field: false + - name: Ext.malware_classification.version + level: custom + type: keyword + ignore_above: 1024 + description: The version of the model used. + default_field: false + - name: Ext.mapped_address + level: custom + type: keyword + ignore_above: 1024 + description: The base address where this module is loaded. + default_field: false + - name: Ext.mapped_size + level: custom + type: long + description: The size of this module's memory mapping, in bytes. + default_field: false + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the library. + + This generally maps to the name of the file on disk.' + example: kernel32.dll + default_field: false + - name: path + level: extended + type: keyword + ignore_above: 1024 + description: Full file path of the library. + example: C:\Windows\System32\kernel32.dll + default_field: false + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false +- name: dns + title: DNS + group: 2 + description: 'Fields describing DNS queries and answers. + + DNS events should either represent a single DNS query prior to getting answers + (`dns.type:query`) or they should represent a full exchange and contain the + query details as well as all of the answers that were provided for this query + (`dns.type:answer`).' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.options + level: custom + type: keyword + ignore_above: 1024 + description: DNS options field, uint64, representing as a keyword to avoid overflows + in ES + default_field: false + - name: Ext.status + level: custom + type: long + description: DNS status field, uint32 + default_field: false + - name: question.name + level: extended + type: keyword + ignore_above: 1024 + description: 'The name being queried. + + If the name field contains non-printable characters (below 32 or above 126), + those characters should be represented as escaped base 10 integers (\DDD). + Back slashes and quotes should be escaped. Tabs, carriage returns, and line + feeds should be converted to \t, \r, and \n respectively.' + example: www.google.com + - name: question.registered_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The highest registered domain, stripped of the subdomain. + + For example, the registered domain for "foo.google.com" is "google.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: google.com + - name: question.subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain is all of the labels under the registered_domain. + + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: www + - name: question.top_level_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for google.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + - name: question.type + level: extended + type: keyword + ignore_above: 1024 + description: The type of record being queried. + example: AAAA + - name: resolved_ip + level: extended + type: ip + description: 'Array containing all IPs seen in `answers.data`. + + The `answers` array can be difficult to use, because of the variety of data + formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` + makes it possible to index them as IP addresses, and makes them easier to + visualize and query for.' + example: + - 10.10.10.10 + - 10.10.10.11 +- name: ecs + title: ECS + group: 2 + description: Meta-information specific to ECS. + type: group + fields: + - name: version + level: core + required: true + type: keyword + ignore_above: 1024 + description: 'ECS version this event conforms to. `ecs.version` is a required + field and must exist in all events. + + When querying across multiple indices -- which may conform to slightly different + ECS versions -- this field lets integrations adjust to the schema version + of the events.' + example: 1.0.0 +- name: elastic + title: Elastic + group: 2 + description: Holds fields and properties of data points and concepts in the elastic + domain or namespace. + type: group + fields: + - name: agent + level: custom + type: object + object_type: keyword + description: The agent fields contain data about the Elastic Agent. The Elastic + Agent is the management agent that manages other agents or process on the + host. + default_field: false + - name: agent.id + level: custom + type: keyword + ignore_above: 1024 + description: Unique identifier of this elastic agent (if one exists). + example: c2a9093e-e289-4c0a-aa44-8c32a414fa7a + default_field: false +- name: event + title: Event + group: 2 + description: 'The event fields are used for context information about the log + or metric event itself. + + A log is defined as an event containing details of something that happened. + Log events must include the time at which the thing happened. Examples of log + events include a process starting on a host, a network packet being sent from + a source to a destination, or a network connection between a client and a server + being initiated or closed. A metric is defined as an event containing one or + more numerical measurements and the time at which the measurement was taken. + Examples of metric events include memory pressure measured on a host and device + temperature. See the `event.kind` definition in this section for additional + details about metric and state events.' + type: group + fields: + - name: action + level: core + type: keyword + ignore_above: 1024 + description: 'The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is + normally defined by the implementer.' + example: user-password-change + - name: category + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + second level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process + activity. This field is closely related to `event.type`, which is used as + a subcategory. + + This field is an array. This will allow proper categorization of some events + that fall in multiple categories.' + example: authentication + - name: created + level: core + type: date + description: 'event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' + - name: dataset + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes + from. + + It''s recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name.' + example: apache.access + - name: hash + level: extended + type: keyword + ignore_above: 1024 + description: Hash (perhaps logstash fingerprint) of raw field to be able to + demonstrate log integrity. + example: 123456789012345678901234567890ABCD + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique ID to describe the event. + example: 8a4f500d + - name: ingested + level: core + type: date + description: 'Timestamp when an event arrived in the central data store. + + This is different from `@timestamp`, which is when the event originally occurred. It''s + also different from `event.created`, which is meant to capture the first time + an agent saw the event. + + In normal conditions, assuming no tampering, the timestamps should chronologically + look like this: `@timestamp` < `event.created` < `event.ingested`.' + example: '2016-05-23T08:05:35.101Z' + default_field: false + - name: kind + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + highest level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the + event contains, without being specific to the contents of the event. For example, + values of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, + it may also help understand whether the data coming in at a regular interval + or not.' + example: alert + - name: module + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module.' + example: apache + - name: outcome + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + lowest level in the ECS category hierarchy. + + `event.outcome` simply denotes whether the event represents a success or a + failure from the perspective of the entity that produced the event. + + Note that when a single transaction is described in multiple events, each + event may populate different values of `event.outcome`, according to their + perspective. + + Also note that in the case of a compound event (a single event that contains + multiple logical events), this field should be populated with the value that + best captures the overall success or failure from the perspective of the event + producer. + + Further note that not all events will have an associated outcome. For example, + this field is generally not populated for metric events, events with `event.type:info`, + or any events for which an outcome does not make logical sense.' + example: success + - name: sequence + level: extended + type: long + format: string + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regardless of the timestamp precision.' + - name: severity + level: core + type: long + format: string + description: 'The numeric severity of the event according to your event source. + + What the different severity values mean can be different between sources and + use cases. It''s up to the implementer to make sure severities are consistent + across events from the same source. + + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` + is meant to represent the severity according to the event source (e.g. firewall, + IDS). If the event source does not publish its own severity, you may optionally + copy the `log.syslog.severity.code` to `event.severity`.' + example: 7 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + third level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along + with the `event.category` field values, enables filtering events down to a + level appropriate for single visualization. + + This field is an array. This will allow proper categorization of some events + that fall in multiple event types.' +- name: file + title: File + group: 2 + description: 'A file is defined as a set of information that has been created + on, or has existed on a filesystem. + + File objects can be associated with host events, network events, and/or file + events (e.g., those produced by File Integrity Monitoring [FIM] products or + services). File fields provide details about the affected file associated with + the event or metric.' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.code_signature + level: custom + type: nested + description: Nested version of ECS code_signature fieldset. + default_field: false + - name: Ext.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: Ext.code_signature.status + level: custom + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: Ext.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: Ext.code_signature.trusted + level: custom + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: Ext.code_signature.valid + level: custom + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: Ext.entry_modified + level: custom + type: double + description: Time of last status change. See `st_ctim` member of `struct stat`. + default_field: false + - name: Ext.macro.code_page + level: custom + type: long + description: Identifies the character encoding used for this macro. https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers + default_field: false + - name: Ext.macro.collection + level: custom + type: object + object_type: keyword + description: Object containing hashes for the macro collection. + default_field: false + - name: Ext.macro.collection.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: Ext.macro.collection.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: Ext.macro.collection.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: Ext.macro.collection.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: Ext.macro.errors + level: custom + type: nested + description: Errors that occurred when parsing this document file. + default_field: false + - name: Ext.macro.errors.count + level: custom + type: long + description: Number of times this error that occurred. + default_field: false + - name: Ext.macro.errors.error_type + level: custom + type: keyword + ignore_above: 1024 + description: The type of parsing error that occurred. + default_field: false + - name: Ext.macro.file_extension + level: custom + type: keyword + ignore_above: 1024 + description: The extension of the file containing this macro (e.g. .docm) + default_field: false + - name: Ext.macro.project_file + level: custom + type: object + object_type: keyword + description: Metadata about the corresponding VBA project file + default_field: false + - name: Ext.macro.project_file.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: Ext.macro.project_file.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: Ext.macro.project_file.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: Ext.macro.project_file.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: Ext.macro.stream + level: custom + type: nested + description: Streams associated with the document. + default_field: false + - name: Ext.macro.stream.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: Ext.macro.stream.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: Ext.macro.stream.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: Ext.macro.stream.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: Ext.macro.stream.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the stream. + default_field: false + - name: Ext.macro.stream.raw_code + level: custom + type: keyword + ignore_above: 1024 + description: First 100KB of raw stream binary. Can be useful to analyze false + positives and malicious payloads. + default_field: false + - name: Ext.macro.stream.raw_code_size + level: custom + type: keyword + ignore_above: 1024 + description: The original stream size. Indicates whether stream.raw_code was + truncated. + default_field: false + - name: Ext.malware_classification.features.data.buffer + level: custom + type: keyword + ignore_above: 1024 + description: The features extracted from this file and evaluated by the model. Usually + an array of floats. Likely zlib-encoded. + default_field: false + - name: Ext.malware_classification.features.data.decompressed_size + level: custom + type: integer + description: The decompressed size of buffer. + default_field: false + - name: Ext.malware_classification.features.data.encoding + level: custom + type: keyword + ignore_above: 1024 + description: The encoding of buffer (e.g. zlib). + default_field: false + - name: Ext.malware_classification.identifier + level: custom + type: keyword + ignore_above: 1024 + description: The model's unique identifier. + default_field: false + - name: Ext.malware_classification.score + level: custom + type: double + description: The score produced by the classification model. + default_field: false + - name: Ext.malware_classification.threshold + level: custom + type: double + description: The score threshold for the model. Files that score above this + threshold are considered malicious. + default_field: false + - name: Ext.malware_classification.upx_packed + level: custom + type: boolean + description: Whether UPX packing was detected. + default_field: false + - name: Ext.malware_classification.version + level: custom + type: keyword + ignore_above: 1024 + description: The version of the model used. + default_field: false + - name: Ext.original + level: custom + type: object + object_type: keyword + description: Original file information during a modification event. + default_field: false + - name: Ext.original.gid + level: custom + type: keyword + ignore_above: 1024 + description: Primary group ID (GID) of the file. + example: '1001' + default_field: false + - name: Ext.original.group + level: custom + type: keyword + ignore_above: 1024 + description: Primary group name of the file. + example: alice + default_field: false + - name: Ext.original.mode + level: custom + type: keyword + ignore_above: 1024 + description: Original file mode prior to a modification event + default_field: false + - name: Ext.original.name + level: custom + type: keyword + ignore_above: 1024 + description: Original file name prior to a modification event + default_field: false + - name: Ext.original.owner + level: custom + type: keyword + ignore_above: 1024 + description: File owner's username. + example: alice + default_field: false + - name: Ext.original.path + level: custom + type: keyword + ignore_above: 1024 + description: Original file path prior to a modification event + default_field: false + - name: Ext.original.uid + level: custom + type: keyword + ignore_above: 1024 + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + default_field: false + - name: Ext.quarantine_path + level: custom + type: keyword + ignore_above: 1024 + description: Path on endpoint the quarantined file was originally. + default_field: false + - name: Ext.quarantine_result + level: custom + type: boolean + description: Boolean representing whether or not file quarantine succeeded. + default_field: false + - name: Ext.temp_file_path + level: custom + type: keyword + ignore_above: 1024 + description: Path on endpoint where a copy of the file is being stored. Used + to make ephemeral files retrievable. + default_field: false + - name: Ext.windows + level: custom + type: object + object_type: keyword + description: Platform-specific Windows fields + default_field: false + - name: Ext.windows.zone_identifier + level: custom + type: keyword + ignore_above: 1024 + description: Windows zone identifier for a file + default_field: false + - name: accessed + level: extended + type: date + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + - name: attributes + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + default_field: false + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: created + level: extended + type: date + description: 'File creation time. + + Note that not all filesystems store the creation time.' + - name: ctime + level: extended + type: date + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + - name: device + level: extended + type: keyword + ignore_above: 1024 + description: Device that is the source of the file. + example: sda + - name: directory + level: extended + type: keyword + ignore_above: 1024 + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + - name: drive_letter + level: extended + type: keyword + ignore_above: 1 + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + default_field: false + - name: extension + level: extended + type: keyword + ignore_above: 1024 + description: File extension. + example: png + - name: gid + level: extended + type: keyword + ignore_above: 1024 + description: Primary group ID (GID) of the file. + example: '1001' + - name: group + level: extended + type: keyword + ignore_above: 1024 + description: Primary group name of the file. + example: alice + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + - name: hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + - name: inode + level: extended + type: keyword + ignore_above: 1024 + description: Inode representing the file in the filesystem. + example: '256383' + - name: mime_type + level: extended + type: keyword + ignore_above: 1024 + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + default_field: false + - name: mode + level: extended + type: keyword + ignore_above: 1024 + description: Mode of the file in octal representation. + example: '0640' + - name: mtime + level: extended + type: date + description: Last time the file content was modified. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the file including the extension, without the directory. + example: example.png + - name: owner + level: extended + type: keyword + ignore_above: 1024 + description: File owner's username. + example: alice + - name: path + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: size + level: extended + type: long + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + - name: target_path + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Target path for symlinks. + - name: type + level: extended + type: keyword + ignore_above: 1024 + description: File type (file, dir, or symlink). + example: file + - name: uid + level: extended + type: keyword + ignore_above: 1024 + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' +- name: group + title: Group + group: 2 + description: The group fields are meant to represent groups that are relevant + to the event. + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.real + level: custom + type: object + object_type: keyword + description: Group info prior to any setgid operations. + default_field: false + - name: Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the + event happened, or from which the measurement was taken. Host types include + hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain + or NetBIOS domain name. For Linux this could be the domain of the host''s + LDAP provider.' + example: CONTOSO + default_field: false + - name: geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + - name: geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + - name: geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + - name: geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + - name: geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + - name: geo.name + level: extended + type: keyword + ignore_above: 1024 + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + - name: geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + - name: geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified + domain name, or a name specified by the user. The sender decides which value + to use.' + - name: os.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: os.Ext.variant + level: custom + type: keyword + ignore_above: 1024 + description: A string value or phrase that further aid to classify or qualify + the operating system (OS). For example the distribution for a Linux OS will + be entered in this field. + example: Ubuntu + default_field: false + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, including the version or code name. + example: Mac OS Mojave + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, + this could be the container, for example, or other information meaningful + in your environment.' + - name: uptime + level: extended + type: long + description: Seconds the host has been up. + example: 1325 + - name: user.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: user.Ext.real + level: custom + type: object + object_type: keyword + description: User info prior to any setuid operations. + default_field: false + - name: user.Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: One or multiple unique identifiers of the user. + default_field: false + - name: user.Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Short name or login of the user. + default_field: false + - name: user.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: user.email + level: extended + type: keyword + ignore_above: 1024 + description: User email address. + - name: user.full_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: User's full name, if available. + example: Albert Einstein + - name: user.group.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: user.group.Ext.real + level: custom + type: object + object_type: keyword + description: Group info prior to any setgid operations. + default_field: false + - name: user.group.Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: user.group.Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: user.group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: user.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: user.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: user.hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + - name: user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifiers of the user. + - name: user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert +- name: http + title: HTTP + group: 2 + description: Fields related to HTTP activity. Use the `url` field set to store + the url of the request. + type: group + fields: + - name: request.body.bytes + level: extended + type: long + format: bytes + description: Size in bytes of the request body. + example: 887 + - name: request.body.content + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: The full HTTP request body. + example: Hello world + - name: request.bytes + level: extended + type: long + format: bytes + description: Total size in bytes of the request (body and headers). + example: 1437 + - name: response.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: response.Ext.version + level: custom + type: keyword + ignore_above: 1024 + description: HTTP version + default_field: false + - name: response.body.bytes + level: extended + type: long + format: bytes + description: Size in bytes of the response body. + example: 887 + - name: response.body.content + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: The full HTTP response body. + example: Hello world + - name: response.bytes + level: extended + type: long + format: bytes + description: Total size in bytes of the response (body and headers). + example: 1437 + - name: response.status_code + level: extended + type: long + format: string + description: HTTP response status code. + example: 404 +- name: network + title: Network + group: 2 + description: 'The network is defined as the communication path over which a host + or network event happens. + + The network.* fields should be populated with details about the network activity + associated with an event.' + type: group + fields: + - name: bytes + level: core + type: long + format: bytes + description: 'Total bytes transferred in both directions. + + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their + sum.' + example: 368 + - name: community_id + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of source and destination IPs and ports, as well as the + protocol used in a communication. This is a tool-agnostic standard to identify + flows. + + Learn more at https://github.com/corelight/community-id-spec.' + example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= + - name: direction + level: core + type: keyword + ignore_above: 1024 + description: "Direction of the network traffic.\nRecommended values are:\n \ + \ * inbound\n * outbound\n * internal\n * external\n * unknown\n\nWhen\ + \ mapping events from a host-based monitoring context, populate this field\ + \ from the host's point of view.\nWhen mapping events from a network or perimeter-based\ + \ monitoring context, populate this field from the point of view of your network\ + \ perimeter." + example: inbound + - name: iana_number + level: extended + type: keyword + ignore_above: 1024 + description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). + Standardized list of protocols. This aligns well with NetFlow and sFlow related + logs which use the IANA Protocol Number. + example: 6 + - name: packets + level: core + type: long + description: 'Total packets transferred in both directions. + + If `source.packets` and `destination.packets` are known, `network.packets` + is their sum.' + example: 24 + - name: protocol + level: core + type: keyword + ignore_above: 1024 + description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol. + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: http + - name: transport + level: core + type: keyword + ignore_above: 1024 + description: 'Same as network.iana_number, but instead using the Keyword name + of the transport layer (udp, tcp, ipv6-icmp, etc.) + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: tcp + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, + ipsec, pim, etc + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: ipv4 +- name: package + title: Package + group: 2 + description: These fields contain information about an installed software package. + It contains general information about a package, such as name, version or size. + It also contains installation details, such as time or location. + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Package name + example: go +- name: process + title: Process + group: 2 + description: 'These fields contain information about a process. + + These fields can help you correlate metrics information with a process id/name + from a log message. The `process.pid` often stays in the metric itself and + is copied to the global field for correlation.' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.ancestry + level: custom + type: keyword + ignore_above: 1024 + description: An array of entity_ids indicating the ancestors for this event + default_field: false + - name: Ext.authentication_id + level: custom + type: keyword + ignore_above: 1024 + description: Process authentication ID + default_field: false + - name: Ext.code_signature + level: custom + type: nested + description: Nested version of ECS code_signature fieldset. + default_field: false + - name: Ext.code_signature.exists + level: custom + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: Ext.code_signature.status + level: custom + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: Ext.code_signature.subject_name + level: custom + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: Ext.code_signature.trusted + level: custom + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: Ext.code_signature.valid + level: custom + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: Ext.malware_classification.features.data.buffer + level: custom + type: keyword + ignore_above: 1024 + description: The features extracted from this file and evaluated by the model. Usually + an array of floats. Likely zlib-encoded. + default_field: false + - name: Ext.malware_classification.features.data.decompressed_size + level: custom + type: integer + description: The decompressed size of buffer. + default_field: false + - name: Ext.malware_classification.features.data.encoding + level: custom + type: keyword + ignore_above: 1024 + description: The encoding of buffer (e.g. zlib). + default_field: false + - name: Ext.malware_classification.identifier + level: custom + type: keyword + ignore_above: 1024 + description: The model's unique identifier. + default_field: false + - name: Ext.malware_classification.score + level: custom + type: double + description: The score produced by the classification model. + default_field: false + - name: Ext.malware_classification.threshold + level: custom + type: double + description: The score threshold for the model. Files that score above this + threshold are considered malicious. + default_field: false + - name: Ext.malware_classification.upx_packed + level: custom + type: boolean + description: Whether UPX packing was detected. + default_field: false + - name: Ext.malware_classification.version + level: custom + type: keyword + ignore_above: 1024 + description: The version of the model used. + default_field: false + - name: Ext.services + level: custom + type: keyword + ignore_above: 1024 + description: Services running in this process. + default_field: false + - name: Ext.session + level: custom + type: keyword + ignore_above: 1024 + description: Session information for the current process + default_field: false + - name: Ext.token.domain + level: custom + type: keyword + ignore_above: 1024 + description: Domain of token user. + default_field: false + - name: Ext.token.elevation + level: custom + type: boolean + description: Whether the token is elevated or not + default_field: false + - name: Ext.token.elevation_type + level: custom + type: keyword + ignore_above: 1024 + description: What level of elevation the token has + example: one of "default", "full", "limited" + default_field: false + - name: Ext.token.impersonation_level + level: custom + type: keyword + ignore_above: 1024 + description: Impersonation level. Only valid for impersonation tokens. + default_field: false + - name: Ext.token.integrity_level + level: custom + type: long + description: Numeric integrity level. + default_field: false + - name: Ext.token.integrity_level_name + level: custom + type: keyword + ignore_above: 1024 + description: Human readable integrity level. + example: one of "system", "high", "medium", "low", "untrusted" + default_field: false + - name: Ext.token.is_appcontainer + level: custom + type: boolean + description: Whether or not this is an appcontainer token. + default_field: false + - name: Ext.token.privileges + level: custom + type: nested + description: Array describing the privileges associated with the token. + default_field: false + - name: Ext.token.privileges.description + level: custom + type: keyword + ignore_above: 1024 + description: Description of the privilege. + default_field: false + - name: Ext.token.privileges.enabled + level: custom + type: boolean + description: Whether or not the privilege is enabled. + default_field: false + - name: Ext.token.privileges.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the privilege. + default_field: false + - name: Ext.token.sid + level: custom + type: keyword + ignore_above: 1024 + description: Token user's Security Identifier (SID). + default_field: false + - name: Ext.token.type + level: custom + type: keyword + ignore_above: 1024 + description: Type of the token, either primary or impersonation. + default_field: false + - name: Ext.token.user + level: custom + type: keyword + ignore_above: 1024 + description: Username of token owner. + default_field: false + - name: Ext.user + level: custom + type: keyword + ignore_above: 1024 + description: User associated with the running process. + default_field: false + - name: args + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: + - /usr/bin/ssh + - -l + - user + - 10.0.0.16 + - name: args_count + level: extended + type: long + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + default_field: false + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: command_line + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + default_field: false + - name: entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + - name: exit_code + level: extended + type: long + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + default_field: false + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + - name: hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + - name: parent.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: parent.Ext.code_signature + level: custom + type: nested + description: Nested version of ECS code_signature fieldset. + default_field: false + - name: parent.Ext.code_signature.exists + level: custom + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: parent.Ext.code_signature.status + level: custom + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: parent.Ext.code_signature.subject_name + level: custom + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: parent.Ext.code_signature.trusted + level: custom + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: parent.Ext.code_signature.valid + level: custom + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: parent.Ext.real + level: custom + type: object + object_type: keyword + description: The field set containing parent process info in case of any ppid + spoofing. + default_field: false + - name: parent.Ext.real.pid + level: custom + type: long + description: The ppid of the process that actually spawned the current process, + in case of ppid spoofing. + default_field: false + - name: parent.args + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of process arguments. + + May be filtered to protect sensitive information.' + example: + - ssh + - -l + - user + - 10.0.0.16 + default_field: false + - name: parent.args_count + level: extended + type: long + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + default_field: false + - name: parent.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: parent.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: parent.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: parent.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: parent.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: parent.command_line + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + default_field: false + - name: parent.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: parent.executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + default_field: false + - name: parent.exit_code + level: extended + type: long + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + default_field: false + - name: parent.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: parent.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: parent.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: parent.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: parent.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + default_field: false + - name: parent.pgid + level: extended + type: long + format: string + description: Identifier of the group of processes the process belongs to. + default_field: false + - name: parent.pid + level: core + type: long + format: string + description: Process id. + example: 4242 + default_field: false + - name: parent.ppid + level: extended + type: long + format: string + description: Parent process' pid. + example: 4241 + default_field: false + - name: parent.start + level: extended + type: date + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + default_field: false + - name: parent.thread.id + level: extended + type: long + format: string + description: Thread ID. + example: 4242 + default_field: false + - name: parent.thread.name + level: extended + type: keyword + ignore_above: 1024 + description: Thread name. + example: thread-0 + default_field: false + - name: parent.title + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + default_field: false + - name: parent.uptime + level: extended + type: long + description: Seconds the process has been up. + example: 1325 + default_field: false + - name: parent.working_directory + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: The working directory of the process. + example: /home/alice + default_field: false + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: pgid + level: extended + type: long + format: string + description: Identifier of the group of processes the process belongs to. + - name: pid + level: core + type: long + format: string + description: Process id. + example: 4242 + - name: ppid + level: extended + type: long + format: string + description: Parent process' pid. + example: 4241 + - name: start + level: extended + type: date + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + - name: thread.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: thread.Ext.call_stack.instruction_pointer + level: custom + type: keyword + ignore_above: 1024 + description: The return address of this stack frame. + default_field: false + - name: thread.Ext.call_stack.memory_section.address + level: custom + type: keyword + ignore_above: 1024 + description: Base address of the memory region containing `instruction_pointer`. Corresponds + to `MEMORY_BASIC_INFORMATION.BaseAddress` + default_field: false + - name: thread.Ext.call_stack.memory_section.protection + level: custom + type: keyword + ignore_above: 1024 + description: Memory protection flags of this memory region. Corresponds to + `MEMORY_BASIC_INFORMATION.Protect` + default_field: false + - name: thread.Ext.call_stack.memory_section.size + level: custom + type: keyword + ignore_above: 1024 + description: Size of the memory region containing `instruction_pointer`. Corresponds + to `MEMORY_BASIC_INFORMATION.RegionSize` + default_field: false + - name: thread.Ext.call_stack.module_path + level: custom + type: keyword + ignore_above: 1024 + description: The DLL/module containing `instruction_pointer`. + default_field: false + - name: thread.Ext.call_stack.rva + level: custom + type: keyword + ignore_above: 1024 + description: The relative virtual address of `instruction_pointer`. Computed + as `instruction_pointer - MEMORY_BASIC_INFORMATION.AllocationBase`. + default_field: false + - name: thread.Ext.call_stack.symbol_info + level: custom + type: keyword + ignore_above: 1024 + description: The nearest symbol for `instruction_pointer`. + default_field: false + - name: thread.Ext.service + level: custom + type: keyword + ignore_above: 1024 + description: Service associated with the thread. + example: VaultSvc + default_field: false + - name: thread.Ext.start + level: custom + type: date + description: The time the thread started. + example: '2016-05-23T08:05:34.853Z' + default_field: false + - name: thread.Ext.start_address + level: custom + type: keyword + ignore_above: 1024 + description: Memory address where the thread began execution. + example: 5442508 + default_field: false + - name: thread.Ext.start_address_module + level: custom + type: keyword + ignore_above: 1024 + description: The dll/module where the thread began execution. + example: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe + default_field: false + - name: thread.Ext.token.domain + level: custom + type: keyword + ignore_above: 1024 + description: Domain of token user. + default_field: false + - name: thread.Ext.token.elevation + level: custom + type: boolean + description: Whether the token is elevated or not + default_field: false + - name: thread.Ext.token.elevation_type + level: custom + type: keyword + ignore_above: 1024 + description: What level of elevation the token has + example: one of "default", "full", "limited" + default_field: false + - name: thread.Ext.token.impersonation_level + level: custom + type: keyword + ignore_above: 1024 + description: Impersonation level. Only valid for impersonation tokens. + default_field: false + - name: thread.Ext.token.integrity_level + level: custom + type: long + description: Numeric integrity level. + default_field: false + - name: thread.Ext.token.integrity_level_name + level: custom + type: keyword + ignore_above: 1024 + description: Human readable integrity level. + example: one of "system", "high", "medium", "low", "untrusted" + default_field: false + - name: thread.Ext.token.is_appcontainer + level: custom + type: boolean + description: Whether or not this is an appcontainer token. + default_field: false + - name: thread.Ext.token.privileges + level: custom + type: nested + description: Array describing the privileges associated with the token. + default_field: false + - name: thread.Ext.token.privileges.description + level: custom + type: keyword + ignore_above: 1024 + description: Description of the privilege. + default_field: false + - name: thread.Ext.token.privileges.enabled + level: custom + type: boolean + description: Whether or not the privilege is enabled. + default_field: false + - name: thread.Ext.token.privileges.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the privilege. + default_field: false + - name: thread.Ext.token.sid + level: custom + type: keyword + ignore_above: 1024 + description: Token user's Security Identifier (SID). + default_field: false + - name: thread.Ext.token.type + level: custom + type: keyword + ignore_above: 1024 + description: Type of the token, either primary or impersonation. + default_field: false + - name: thread.Ext.token.user + level: custom + type: keyword + ignore_above: 1024 + description: Username of token owner. + default_field: false + - name: thread.Ext.uptime + level: custom + type: long + description: Seconds since thread started. + default_field: false + - name: thread.id + level: extended + type: long + format: string + description: Thread ID. + example: 4242 + - name: thread.name + level: extended + type: keyword + ignore_above: 1024 + description: Thread name. + example: thread-0 + - name: title + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: 'Process title. + + The proctitle, some times the same as process name. Can also be different: + for example a browser setting its title to the web page currently opened.' + - name: uptime + level: extended + type: long + description: Seconds the process has been up. + example: 1325 + - name: working_directory + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: The working directory of the process. + example: /home/alice +- name: registry + title: Registry + group: 2 + description: Fields related to Windows Registry operations. + type: group + fields: + - name: data.bytes + level: extended + type: keyword + ignore_above: 1024 + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + default_field: false + - name: data.strings + level: core + type: keyword + ignore_above: 1024 + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + default_field: false + - name: hive + level: core + type: keyword + ignore_above: 1024 + description: Abbreviated name for the hive. + example: HKLM + default_field: false + - name: key + level: core + type: keyword + ignore_above: 1024 + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + default_field: false + - name: path + level: core + type: keyword + ignore_above: 1024 + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + default_field: false + - name: value + level: core + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger + default_field: false +- name: rule + title: Rule + group: 2 + description: 'Rule fields are used to capture the specifics of any observer or + agent rules that generate alerts or other notable events. + + Examples of data sources that would populate the rule fields include: network + admission control platforms, network or host IDS/IPS, network firewalls, web + application firewalls, url filters, endpoint detection and response (EDR) systems, + etc.' + type: group + fields: + - name: author + level: extended + type: keyword + ignore_above: 1024 + description: Name, organization, or pseudonym of the author or authors who created + the rule used to generate this event. + example: + - Star-Lord + default_field: false + - name: category + level: extended + type: keyword + ignore_above: 1024 + description: A categorization value keyword used by the entity using the rule + for detection of this event. + example: Attempted Information Leak + default_field: false + - name: description + level: extended + type: keyword + ignore_above: 1024 + description: The description of the rule generating the event. + example: Block requests to public DNS over HTTPS / TLS protocols + default_field: false + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: A rule ID that is unique within the scope of an agent, observer, + or other entity using the rule for detection of this event. + example: 101 + default_field: false + - name: license + level: extended + type: keyword + ignore_above: 1024 + description: Name of the license under which the rule used to generate this + event is made available. + example: Apache 2.0 + default_field: false + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: The name of the rule or signature generating the event. + example: BLOCK_DNS_over_TLS + default_field: false + - name: reference + level: extended + type: keyword + ignore_above: 1024 + description: 'Reference URL to additional information about the rule used to + generate this event. + + The URL can point to the vendor''s documentation about the rule. If that''s + not available, it can also be a link to a more general page describing this + type of alert.' + example: https://en.wikipedia.org/wiki/DNS_over_TLS + default_field: false + - name: ruleset + level: extended + type: keyword + ignore_above: 1024 + description: Name of the ruleset, policy, group, or parent category in which + the rule used to generate this event is a member. + example: Standard_Protocol_Filters + default_field: false + - name: uuid + level: extended + type: keyword + ignore_above: 1024 + description: A rule ID that is unique within the scope of a set or group of + agents, observers, or other entities using the rule for detection of this + event. + example: 1100110011 + default_field: false + - name: version + level: extended + type: keyword + ignore_above: 1024 + description: The version / revision of the rule being used for analysis. + example: 1.1 + default_field: false +- name: source + title: Source + group: 2 + description: 'Source fields describe details about the source of a packet/event. + + Source fields are usually populated in conjunction with destination fields.' + type: group + fields: + - name: address + level: extended + type: keyword + ignore_above: 1024 + description: 'Some event source addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + - name: bytes + level: core + type: long + format: bytes + description: Bytes sent from the source to the destination. + example: 184 + - name: domain + level: core + type: keyword + ignore_above: 1024 + description: Source domain. + - name: ip + level: core + type: ip + description: 'IP address of the source. + + Can be one or multiple IPv4 or IPv6 addresses.' + - name: packets + level: core + type: long + description: Packets sent from the source to the destination. + example: 12 + - name: port + level: core + type: long + format: string + description: Port of the source. + - name: registered_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.google.com" is "google.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: google.com + - name: top_level_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for google.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk +- name: threat + title: Threat + group: 2 + description: 'Fields to classify events and alerts according to a threat taxonomy + such as the Mitre ATT&CK framework. + + These fields are for users to classify alerts from all of their sources (e.g. + IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to + capture the high level category of the threat (e.g. "impact"). The threat.technique.* + fields are meant to capture which kind of approach is used by this detected + threat, to accomplish the goal (e.g. "endpoint denial of service").' + type: group + fields: + - name: framework + level: extended + type: keyword + ignore_above: 1024 + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + - name: tactic.id + level: extended + type: keyword + ignore_above: 1024 + description: The id of tactic used by this threat. You can use the Mitre ATT&CK + Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ + ) + example: TA0040 + - name: tactic.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the type of tactic used by this threat. You can use the + Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ + ) + example: impact + - name: tactic.reference + level: extended + type: keyword + ignore_above: 1024 + description: The reference url of tactic used by this threat. You can use the + Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ + ) + example: https://attack.mitre.org/tactics/TA0040/ + - name: technique.id + level: extended + type: keyword + ignore_above: 1024 + description: The id of technique used by this tactic. You can use the Mitre + ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ + ) + example: T1499 + - name: technique.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: The name of technique used by this tactic. You can use the Mitre + ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ + ) + example: endpoint denial of service + - name: technique.reference + level: extended + type: keyword + ignore_above: 1024 + description: The reference url of technique used by this tactic. You can use + the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ + ) + example: https://attack.mitre.org/techniques/T1499/ +- name: user + title: User + group: 2 + description: 'The user fields describe information about the user that is relevant + to the event. + + Fields can have one entry or multiple entries. If a user has more than one id, + provide an array that includes all of them.' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.real + level: custom + type: object + object_type: keyword + description: User info prior to any setuid operations. + default_field: false + - name: Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: One or multiple unique identifiers of the user. + default_field: false + - name: Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Short name or login of the user. + default_field: false + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: email + level: extended + type: keyword + ignore_above: 1024 + description: User email address. + - name: full_name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: User's full name, if available. + example: Albert Einstein + - name: group.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: group.Ext.real + level: custom + type: object + object_type: keyword + description: Group info prior to any setgid operations. + default_field: false + - name: group.Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: group.Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: group.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the group is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + - name: hash + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique user hash to correlate information for a user in anonymized + form. + + Useful if `user.id` or `user.name` contain confidential information and cannot + be used.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifiers of the user. + - name: name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert diff --git a/packages/endpoint/0.5.0/dataset/events/manifest.yml b/packages/endpoint/0.5.0/dataset/events/manifest.yml new file mode 100644 index 0000000000..4d54cccaf7 --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/events/manifest.yml @@ -0,0 +1,5 @@ +title: Endpoint Events + +type: events + +id: endpoint diff --git a/packages/endpoint/0.5.0/dataset/file/fields/fields.yml b/packages/endpoint/0.5.0/dataset/file/fields/fields.yml new file mode 100644 index 0000000000..153bf11b4b --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/file/fields/fields.yml @@ -0,0 +1,661 @@ +- name: '@timestamp' + level: core + required: true + type: date + description: 'Date/time when the event originated. + + This is the date/time extracted from the event, typically representing when + the event was generated by the source. + + If the event source has no original timestamp, this value is typically populated + by the first time the event was received by the pipeline. + + Required field for all events.' + example: '2016-05-23T08:05:34.853Z' +- name: message + level: core + type: text + description: 'For log events the message field contains the log message, optimized + for viewing in a log viewer. + + For structured logs without an original message field, other fields can be concatenated + to form a human-readable summary of the event. + + If multiple messages exist, they can be combined into one message.' + example: Hello World +- name: agent + title: Agent + group: 2 + description: 'The agent fields contain the data about the software entity, if + any, that collects, detects, or observes events on a host, or takes measurements + on a host. + + Examples include Beats. Agents may also run on observers. ECS agent.* fields + shall be populated with details of the agent running on the host or observer + where the event happened or the measurement was taken.' + footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. + For APM, it is the agent running in the app/service. The agent information does + not change if data is sent through queuing systems like Kafka, Redis, or processing + systems such as Logstash or APM Server.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique identifier of this agent (if one exists). + + Example: For Beats this would be beat.id.' + example: 8a4f500d + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of the agent. + + The agent type stays always the same and should be given by the agent used. + In case of Filebeat the agent would always be Filebeat also if two Filebeat + instances are run on the same machine.' + example: filebeat + - name: version + level: core + type: keyword + ignore_above: 1024 + description: Version of the agent. + example: 6.0.0-rc2 +- name: dataset + title: dataset + group: 2 + description: Fields describing the new indexing strategy -- + type: group + fields: + - name: name + level: custom + type: constant_keyword + description: Dataset name. + default_field: false + - name: namespace + level: custom + type: constant_keyword + description: Dataset namespace. + default_field: false + - name: type + level: custom + type: constant_keyword + description: Dataset type. + default_field: false +- name: ecs + title: ECS + group: 2 + description: Meta-information specific to ECS. + type: group + fields: + - name: version + level: core + required: true + type: keyword + ignore_above: 1024 + description: 'ECS version this event conforms to. `ecs.version` is a required + field and must exist in all events. + + When querying across multiple indices -- which may conform to slightly different + ECS versions -- this field lets integrations adjust to the schema version + of the events.' + example: 1.0.0 +- name: event + title: Event + group: 2 + description: 'The event fields are used for context information about the log + or metric event itself. + + A log is defined as an event containing details of something that happened. + Log events must include the time at which the thing happened. Examples of log + events include a process starting on a host, a network packet being sent from + a source to a destination, or a network connection between a client and a server + being initiated or closed. A metric is defined as an event containing one or + more numerical measurements and the time at which the measurement was taken. + Examples of metric events include memory pressure measured on a host and device + temperature. See the `event.kind` definition in this section for additional + details about metric and state events.' + type: group + fields: + - name: action + level: core + type: keyword + ignore_above: 1024 + description: 'The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is + normally defined by the implementer.' + example: user-password-change + - name: category + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + second level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process + activity. This field is closely related to `event.type`, which is used as + a subcategory. + + This field is an array. This will allow proper categorization of some events + that fall in multiple categories.' + example: authentication + - name: created + level: core + type: date + description: 'event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' + - name: dataset + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes + from. + + It''s recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name.' + example: apache.access + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique ID to describe the event. + example: 8a4f500d + - name: kind + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + highest level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the + event contains, without being specific to the contents of the event. For example, + values of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, + it may also help understand whether the data coming in at a regular interval + or not.' + example: alert + - name: module + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module.' + example: apache + - name: sequence + level: extended + type: long + format: string + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regardless of the timestamp precision.' + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + third level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along + with the `event.category` field values, enables filtering events down to a + level appropriate for single visualization. + + This field is an array. This will allow proper categorization of some events + that fall in multiple event types.' +- name: file + title: File + group: 2 + description: 'A file is defined as a set of information that has been created + on, or has existed on a filesystem. + + File objects can be associated with host events, network events, and/or file + events (e.g., those produced by File Integrity Monitoring [FIM] products or + services). File fields provide details about the affected file associated with + the event or metric.' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.original + level: custom + type: object + object_type: keyword + description: Original file information during a modification event. + default_field: false + - name: Ext.original.gid + level: custom + type: keyword + ignore_above: 1024 + description: Primary group ID (GID) of the file. + example: '1001' + default_field: false + - name: Ext.original.group + level: custom + type: keyword + ignore_above: 1024 + description: Primary group name of the file. + example: alice + default_field: false + - name: Ext.original.mode + level: custom + type: keyword + ignore_above: 1024 + description: Original file mode prior to a modification event + default_field: false + - name: Ext.original.name + level: custom + type: keyword + ignore_above: 1024 + description: Original file name prior to a modification event + default_field: false + - name: Ext.original.owner + level: custom + type: keyword + ignore_above: 1024 + description: File owner's username. + example: alice + default_field: false + - name: Ext.original.path + level: custom + type: keyword + ignore_above: 1024 + description: Original file path prior to a modification event + default_field: false + - name: Ext.original.uid + level: custom + type: keyword + ignore_above: 1024 + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + default_field: false + - name: Ext.windows + level: custom + type: object + object_type: keyword + description: Platform-specific Windows fields + default_field: false + - name: Ext.windows.zone_identifier + level: custom + type: keyword + ignore_above: 1024 + description: Windows zone identifier for a file + default_field: false + - name: gid + level: extended + type: keyword + ignore_above: 1024 + description: Primary group ID (GID) of the file. + example: '1001' + - name: group + level: extended + type: keyword + ignore_above: 1024 + description: Primary group name of the file. + example: alice + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + - name: inode + level: extended + type: keyword + ignore_above: 1024 + description: Inode representing the file in the filesystem. + example: '256383' + - name: mode + level: extended + type: keyword + ignore_above: 1024 + description: Mode of the file in octal representation. + example: '0640' + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the file including the extension, without the directory. + example: example.png + - name: owner + level: extended + type: keyword + ignore_above: 1024 + description: File owner's username. + example: alice + - name: path + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + - name: uid + level: extended + type: keyword + ignore_above: 1024 + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' +- name: group + title: Group + group: 2 + description: The group fields are meant to represent groups that are relevant + to the event. + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.real + level: custom + type: object + object_type: keyword + description: Group info prior to any setgid operations. + default_field: false + - name: Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the + event happened, or from which the measurement was taken. Host types include + hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified + domain name, or a name specified by the user. The sender decides which value + to use.' + - name: os.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: os.Ext.variant + level: custom + type: keyword + ignore_above: 1024 + description: A string value or phrase that further aid to classify or qualify + the operating system (OS). For example the distribution for a Linux OS will + be entered in this field. + example: Ubuntu + default_field: false + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, including the version or code name. + example: Mac OS Mojave + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 +- name: process + title: Process + group: 2 + description: 'These fields contain information about a process. + + These fields can help you correlate metrics information with a process id/name + from a log message. The `process.pid` often stays in the metric itself and + is copied to the global field for correlation.' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.ancestry + level: custom + type: keyword + ignore_above: 1024 + description: An array of entity_ids indicating the ancestors for this event + default_field: false + - name: entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + - name: pid + level: core + type: long + format: string + description: Process id. + example: 4242 + - name: thread.id + level: extended + type: long + format: string + description: Thread ID. + example: 4242 +- name: user + title: User + group: 2 + description: 'The user fields describe information about the user that is relevant + to the event. + + Fields can have one entry or multiple entries. If a user has more than one id, + provide an array that includes all of them.' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.real + level: custom + type: object + object_type: keyword + description: User info prior to any setuid operations. + default_field: false + - name: Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: One or multiple unique identifiers of the user. + default_field: false + - name: Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Short name or login of the user. + default_field: false + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifiers of the user. + - name: name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert diff --git a/packages/endpoint/0.5.0/dataset/file/manifest.yml b/packages/endpoint/0.5.0/dataset/file/manifest.yml new file mode 100644 index 0000000000..4c41281113 --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/file/manifest.yml @@ -0,0 +1,5 @@ +title: Endpoint File Events + +type: logs + +id: endpoint.events.file diff --git a/packages/endpoint/0.5.0/dataset/library/fields/fields.yml b/packages/endpoint/0.5.0/dataset/library/fields/fields.yml new file mode 100644 index 0000000000..6b0cd8e287 --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/library/fields/fields.yml @@ -0,0 +1,650 @@ +- name: '@timestamp' + level: core + required: true + type: date + description: 'Date/time when the event originated. + + This is the date/time extracted from the event, typically representing when + the event was generated by the source. + + If the event source has no original timestamp, this value is typically populated + by the first time the event was received by the pipeline. + + Required field for all events.' + example: '2016-05-23T08:05:34.853Z' +- name: message + level: core + type: text + description: 'For log events the message field contains the log message, optimized + for viewing in a log viewer. + + For structured logs without an original message field, other fields can be concatenated + to form a human-readable summary of the event. + + If multiple messages exist, they can be combined into one message.' + example: Hello World +- name: agent + title: Agent + group: 2 + description: 'The agent fields contain the data about the software entity, if + any, that collects, detects, or observes events on a host, or takes measurements + on a host. + + Examples include Beats. Agents may also run on observers. ECS agent.* fields + shall be populated with details of the agent running on the host or observer + where the event happened or the measurement was taken.' + footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. + For APM, it is the agent running in the app/service. The agent information does + not change if data is sent through queuing systems like Kafka, Redis, or processing + systems such as Logstash or APM Server.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique identifier of this agent (if one exists). + + Example: For Beats this would be beat.id.' + example: 8a4f500d + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of the agent. + + The agent type stays always the same and should be given by the agent used. + In case of Filebeat the agent would always be Filebeat also if two Filebeat + instances are run on the same machine.' + example: filebeat + - name: version + level: core + type: keyword + ignore_above: 1024 + description: Version of the agent. + example: 6.0.0-rc2 +- name: dataset + title: dataset + group: 2 + description: Fields describing the new indexing strategy -- + type: group + fields: + - name: name + level: custom + type: constant_keyword + description: Dataset name. + default_field: false + - name: namespace + level: custom + type: constant_keyword + description: Dataset namespace. + default_field: false + - name: type + level: custom + type: constant_keyword + description: Dataset type. + default_field: false +- name: dll + title: DLL + group: 2 + description: 'These fields contain information about code libraries dynamically + loaded into processes. + + + Many operating systems refer to "shared code libraries" with different names, + but this field set refers to all of the following: + + * Dynamic-link library (`.dll`) commonly used on Windows + + * Shared Object (`.so`) commonly used on Unix-like operating systems + + * Dynamic library (`.dylib`) commonly used on macOS' + type: group + fields: + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false +- name: ecs + title: ECS + group: 2 + description: Meta-information specific to ECS. + type: group + fields: + - name: version + level: core + required: true + type: keyword + ignore_above: 1024 + description: 'ECS version this event conforms to. `ecs.version` is a required + field and must exist in all events. + + When querying across multiple indices -- which may conform to slightly different + ECS versions -- this field lets integrations adjust to the schema version + of the events.' + example: 1.0.0 +- name: event + title: Event + group: 2 + description: 'The event fields are used for context information about the log + or metric event itself. + + A log is defined as an event containing details of something that happened. + Log events must include the time at which the thing happened. Examples of log + events include a process starting on a host, a network packet being sent from + a source to a destination, or a network connection between a client and a server + being initiated or closed. A metric is defined as an event containing one or + more numerical measurements and the time at which the measurement was taken. + Examples of metric events include memory pressure measured on a host and device + temperature. See the `event.kind` definition in this section for additional + details about metric and state events.' + type: group + fields: + - name: action + level: core + type: keyword + ignore_above: 1024 + description: 'The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is + normally defined by the implementer.' + example: user-password-change + - name: category + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + second level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process + activity. This field is closely related to `event.type`, which is used as + a subcategory. + + This field is an array. This will allow proper categorization of some events + that fall in multiple categories.' + example: authentication + - name: created + level: core + type: date + description: 'event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' + - name: dataset + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes + from. + + It''s recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name.' + example: apache.access + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique ID to describe the event. + example: 8a4f500d + - name: kind + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + highest level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the + event contains, without being specific to the contents of the event. For example, + values of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, + it may also help understand whether the data coming in at a regular interval + or not.' + example: alert + - name: module + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module.' + example: apache + - name: sequence + level: extended + type: long + format: string + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regardless of the timestamp precision.' + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + third level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along + with the `event.category` field values, enables filtering events down to a + level appropriate for single visualization. + + This field is an array. This will allow proper categorization of some events + that fall in multiple event types.' +- name: file + title: File + group: 2 + description: 'A file is defined as a set of information that has been created + on, or has existed on a filesystem. + + File objects can be associated with host events, network events, and/or file + events (e.g., those produced by File Integrity Monitoring [FIM] products or + services). File fields provide details about the affected file associated with + the event or metric.' + type: group + fields: + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the file including the extension, without the directory. + example: example.png + - name: path + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false +- name: group + title: Group + group: 2 + description: The group fields are meant to represent groups that are relevant + to the event. + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.real + level: custom + type: object + object_type: keyword + description: Group info prior to any setgid operations. + default_field: false + - name: Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the + event happened, or from which the measurement was taken. Host types include + hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified + domain name, or a name specified by the user. The sender decides which value + to use.' + - name: os.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: os.Ext.variant + level: custom + type: keyword + ignore_above: 1024 + description: A string value or phrase that further aid to classify or qualify + the operating system (OS). For example the distribution for a Linux OS will + be entered in this field. + example: Ubuntu + default_field: false + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, including the version or code name. + example: Mac OS Mojave + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 +- name: process + title: Process + group: 2 + description: 'These fields contain information about a process. + + These fields can help you correlate metrics information with a process id/name + from a log message. The `process.pid` often stays in the metric itself and + is copied to the global field for correlation.' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.ancestry + level: custom + type: keyword + ignore_above: 1024 + description: An array of entity_ids indicating the ancestors for this event + default_field: false + - name: entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + - name: pid + level: core + type: long + format: string + description: Process id. + example: 4242 + - name: thread.id + level: extended + type: long + format: string + description: Thread ID. + example: 4242 +- name: user + title: User + group: 2 + description: 'The user fields describe information about the user that is relevant + to the event. + + Fields can have one entry or multiple entries. If a user has more than one id, + provide an array that includes all of them.' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.real + level: custom + type: object + object_type: keyword + description: User info prior to any setuid operations. + default_field: false + - name: Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: One or multiple unique identifiers of the user. + default_field: false + - name: Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Short name or login of the user. + default_field: false + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifiers of the user. + - name: name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert diff --git a/packages/endpoint/0.5.0/dataset/library/manifest.yml b/packages/endpoint/0.5.0/dataset/library/manifest.yml new file mode 100644 index 0000000000..3f05588236 --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/library/manifest.yml @@ -0,0 +1,5 @@ +title: Endpoint Library and Driver Events + +type: logs + +id: endpoint.events.library diff --git a/packages/endpoint/0.5.0/dataset/metadata/fields/fields.yml b/packages/endpoint/0.5.0/dataset/metadata/fields/fields.yml new file mode 100644 index 0000000000..18bd90cbbb --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/metadata/fields/fields.yml @@ -0,0 +1,277 @@ +- name: '@timestamp' + level: core + required: true + type: date + description: 'Date/time when the event originated. + + This is the date/time extracted from the event, typically representing when + the event was generated by the source. + + If the event source has no original timestamp, this value is typically populated + by the first time the event was received by the pipeline. + + Required field for all events.' + example: '2016-05-23T08:05:34.853Z' +- name: Endpoint + title: Endpoint + group: 2 + description: Fields describing the state of the Elastic Endpoint when an event + occurs. + type: group + fields: + - name: policy + level: custom + type: object + object_type: keyword + description: The policy fields are used to hold information about applied policy. + default_field: false + - name: policy.applied + level: custom + type: object + object_type: keyword + description: information about the policy that is applied + default_field: false + - name: policy.applied.id + level: custom + type: keyword + ignore_above: 1024 + description: the id of the applied policy + default_field: false + - name: policy.applied.name + level: custom + type: keyword + ignore_above: 1024 + description: the name of this applied policy + default_field: false + - name: policy.applied.status + level: custom + type: keyword + ignore_above: 1024 + description: the status of the applied policy + default_field: false + - name: status + level: custom + type: keyword + ignore_above: 1024 + description: The current status of the endpoint e.g. enrolled, unenrolled. + default_field: false +- name: agent + title: Agent + group: 2 + description: 'The agent fields contain the data about the software entity, if + any, that collects, detects, or observes events on a host, or takes measurements + on a host. + + Examples include Beats. Agents may also run on observers. ECS agent.* fields + shall be populated with details of the agent running on the host or observer + where the event happened or the measurement was taken.' + footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. + For APM, it is the agent running in the app/service. The agent information does + not change if data is sent through queuing systems like Kafka, Redis, or processing + systems such as Logstash or APM Server.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique identifier of this agent (if one exists). + + Example: For Beats this would be beat.id.' + example: 8a4f500d + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Custom name of the agent. + + This is a name that can be given to an agent. This can be helpful if for example + two Filebeat instances are running on the same host but a human readable separation + is needed on which Filebeat instance data is coming from. + + If no name is given, the name is often left empty.' + example: foo + - name: version + level: core + type: keyword + ignore_above: 1024 + description: Version of the agent. + example: 6.0.0-rc2 +- name: dataset + title: dataset + group: 2 + description: Fields describing the new indexing strategy -- + type: group + fields: + - name: name + level: custom + type: constant_keyword + description: Dataset name. + default_field: false + - name: namespace + level: custom + type: constant_keyword + description: Dataset namespace. + default_field: false + - name: type + level: custom + type: constant_keyword + description: Dataset type. + default_field: false +- name: ecs + title: ECS + group: 2 + description: Meta-information specific to ECS. + type: group + fields: + - name: version + level: core + required: true + type: keyword + ignore_above: 1024 + description: 'ECS version this event conforms to. `ecs.version` is a required + field and must exist in all events. + + When querying across multiple indices -- which may conform to slightly different + ECS versions -- this field lets integrations adjust to the schema version + of the events.' + example: 1.0.0 +- name: elastic + title: Elastic + group: 2 + description: Holds fields and properties of data points and concepts in the elastic + domain or namespace. + type: group + fields: + - name: agent + level: custom + type: object + object_type: keyword + description: The agent fields contain data about the Elastic Agent. The Elastic + Agent is the management agent that manages other agents or process on the + host. + default_field: false + - name: agent.id + level: custom + type: keyword + ignore_above: 1024 + description: Unique identifier of this elastic agent (if one exists). + example: c2a9093e-e289-4c0a-aa44-8c32a414fa7a + default_field: false +- name: event + title: Event + group: 2 + description: 'The event fields are used for context information about the log + or metric event itself. + + A log is defined as an event containing details of something that happened. + Log events must include the time at which the thing happened. Examples of log + events include a process starting on a host, a network packet being sent from + a source to a destination, or a network connection between a client and a server + being initiated or closed. A metric is defined as an event containing one or + more numerical measurements and the time at which the measurement was taken. + Examples of metric events include memory pressure measured on a host and device + temperature. See the `event.kind` definition in this section for additional + details about metric and state events.' + type: group + fields: + - name: created + level: core + type: date + description: 'event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the + event happened, or from which the measurement was taken. Host types include + hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: os.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: os.Ext.variant + level: custom + type: keyword + ignore_above: 1024 + description: A string value or phrase that further aid to classify or qualify + the operating system (OS). For example the distribution for a Linux OS will + be entered in this field. + example: Ubuntu + default_field: false + - name: os.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, including the version or code name. + example: Mac OS Mojave + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 diff --git a/packages/endpoint/0.5.0/dataset/metadata/manifest.yml b/packages/endpoint/0.5.0/dataset/metadata/manifest.yml new file mode 100644 index 0000000000..1fa5bf6fd2 --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/metadata/manifest.yml @@ -0,0 +1,3 @@ +title: Endpoint Metadata + +type: metrics diff --git a/packages/endpoint/0.5.0/dataset/metadata_mirror/fields/fields.yml b/packages/endpoint/0.5.0/dataset/metadata_mirror/fields/fields.yml new file mode 100644 index 0000000000..18bd90cbbb --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/metadata_mirror/fields/fields.yml @@ -0,0 +1,277 @@ +- name: '@timestamp' + level: core + required: true + type: date + description: 'Date/time when the event originated. + + This is the date/time extracted from the event, typically representing when + the event was generated by the source. + + If the event source has no original timestamp, this value is typically populated + by the first time the event was received by the pipeline. + + Required field for all events.' + example: '2016-05-23T08:05:34.853Z' +- name: Endpoint + title: Endpoint + group: 2 + description: Fields describing the state of the Elastic Endpoint when an event + occurs. + type: group + fields: + - name: policy + level: custom + type: object + object_type: keyword + description: The policy fields are used to hold information about applied policy. + default_field: false + - name: policy.applied + level: custom + type: object + object_type: keyword + description: information about the policy that is applied + default_field: false + - name: policy.applied.id + level: custom + type: keyword + ignore_above: 1024 + description: the id of the applied policy + default_field: false + - name: policy.applied.name + level: custom + type: keyword + ignore_above: 1024 + description: the name of this applied policy + default_field: false + - name: policy.applied.status + level: custom + type: keyword + ignore_above: 1024 + description: the status of the applied policy + default_field: false + - name: status + level: custom + type: keyword + ignore_above: 1024 + description: The current status of the endpoint e.g. enrolled, unenrolled. + default_field: false +- name: agent + title: Agent + group: 2 + description: 'The agent fields contain the data about the software entity, if + any, that collects, detects, or observes events on a host, or takes measurements + on a host. + + Examples include Beats. Agents may also run on observers. ECS agent.* fields + shall be populated with details of the agent running on the host or observer + where the event happened or the measurement was taken.' + footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. + For APM, it is the agent running in the app/service. The agent information does + not change if data is sent through queuing systems like Kafka, Redis, or processing + systems such as Logstash or APM Server.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique identifier of this agent (if one exists). + + Example: For Beats this would be beat.id.' + example: 8a4f500d + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Custom name of the agent. + + This is a name that can be given to an agent. This can be helpful if for example + two Filebeat instances are running on the same host but a human readable separation + is needed on which Filebeat instance data is coming from. + + If no name is given, the name is often left empty.' + example: foo + - name: version + level: core + type: keyword + ignore_above: 1024 + description: Version of the agent. + example: 6.0.0-rc2 +- name: dataset + title: dataset + group: 2 + description: Fields describing the new indexing strategy -- + type: group + fields: + - name: name + level: custom + type: constant_keyword + description: Dataset name. + default_field: false + - name: namespace + level: custom + type: constant_keyword + description: Dataset namespace. + default_field: false + - name: type + level: custom + type: constant_keyword + description: Dataset type. + default_field: false +- name: ecs + title: ECS + group: 2 + description: Meta-information specific to ECS. + type: group + fields: + - name: version + level: core + required: true + type: keyword + ignore_above: 1024 + description: 'ECS version this event conforms to. `ecs.version` is a required + field and must exist in all events. + + When querying across multiple indices -- which may conform to slightly different + ECS versions -- this field lets integrations adjust to the schema version + of the events.' + example: 1.0.0 +- name: elastic + title: Elastic + group: 2 + description: Holds fields and properties of data points and concepts in the elastic + domain or namespace. + type: group + fields: + - name: agent + level: custom + type: object + object_type: keyword + description: The agent fields contain data about the Elastic Agent. The Elastic + Agent is the management agent that manages other agents or process on the + host. + default_field: false + - name: agent.id + level: custom + type: keyword + ignore_above: 1024 + description: Unique identifier of this elastic agent (if one exists). + example: c2a9093e-e289-4c0a-aa44-8c32a414fa7a + default_field: false +- name: event + title: Event + group: 2 + description: 'The event fields are used for context information about the log + or metric event itself. + + A log is defined as an event containing details of something that happened. + Log events must include the time at which the thing happened. Examples of log + events include a process starting on a host, a network packet being sent from + a source to a destination, or a network connection between a client and a server + being initiated or closed. A metric is defined as an event containing one or + more numerical measurements and the time at which the measurement was taken. + Examples of metric events include memory pressure measured on a host and device + temperature. See the `event.kind` definition in this section for additional + details about metric and state events.' + type: group + fields: + - name: created + level: core + type: date + description: 'event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the + event happened, or from which the measurement was taken. Host types include + hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: os.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: os.Ext.variant + level: custom + type: keyword + ignore_above: 1024 + description: A string value or phrase that further aid to classify or qualify + the operating system (OS). For example the distribution for a Linux OS will + be entered in this field. + example: Ubuntu + default_field: false + - name: os.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, including the version or code name. + example: Mac OS Mojave + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 diff --git a/packages/endpoint/0.5.0/dataset/metadata_mirror/manifest.yml b/packages/endpoint/0.5.0/dataset/metadata_mirror/manifest.yml new file mode 100644 index 0000000000..8360598ff0 --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/metadata_mirror/manifest.yml @@ -0,0 +1,3 @@ +title: Endpoint Metadata Mirror + +type: metrics diff --git a/packages/endpoint/0.5.0/dataset/network/fields/fields.yml b/packages/endpoint/0.5.0/dataset/network/fields/fields.yml new file mode 100644 index 0000000000..8d6fc70b9f --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/network/fields/fields.yml @@ -0,0 +1,895 @@ +- name: '@timestamp' + level: core + required: true + type: date + description: 'Date/time when the event originated. + + This is the date/time extracted from the event, typically representing when + the event was generated by the source. + + If the event source has no original timestamp, this value is typically populated + by the first time the event was received by the pipeline. + + Required field for all events.' + example: '2016-05-23T08:05:34.853Z' +- name: message + level: core + type: text + description: 'For log events the message field contains the log message, optimized + for viewing in a log viewer. + + For structured logs without an original message field, other fields can be concatenated + to form a human-readable summary of the event. + + If multiple messages exist, they can be combined into one message.' + example: Hello World +- name: agent + title: Agent + group: 2 + description: 'The agent fields contain the data about the software entity, if + any, that collects, detects, or observes events on a host, or takes measurements + on a host. + + Examples include Beats. Agents may also run on observers. ECS agent.* fields + shall be populated with details of the agent running on the host or observer + where the event happened or the measurement was taken.' + footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. + For APM, it is the agent running in the app/service. The agent information does + not change if data is sent through queuing systems like Kafka, Redis, or processing + systems such as Logstash or APM Server.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique identifier of this agent (if one exists). + + Example: For Beats this would be beat.id.' + example: 8a4f500d + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of the agent. + + The agent type stays always the same and should be given by the agent used. + In case of Filebeat the agent would always be Filebeat also if two Filebeat + instances are run on the same machine.' + example: filebeat + - name: version + level: core + type: keyword + ignore_above: 1024 + description: Version of the agent. + example: 6.0.0-rc2 +- name: dataset + title: dataset + group: 2 + description: Fields describing the new indexing strategy -- + type: group + fields: + - name: name + level: custom + type: constant_keyword + description: Dataset name. + default_field: false + - name: namespace + level: custom + type: constant_keyword + description: Dataset namespace. + default_field: false + - name: type + level: custom + type: constant_keyword + description: Dataset type. + default_field: false +- name: destination + title: Destination + group: 2 + description: 'Destination fields describe details about the destination of a packet/event. + + Destination fields are usually populated in conjunction with source fields.' + type: group + fields: + - name: address + level: extended + type: keyword + ignore_above: 1024 + description: 'Some event destination addresses are defined ambiguously. The + event will sometimes list an IP, a domain or a unix socket. You should always + store the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + - name: bytes + level: core + type: long + format: bytes + description: Bytes sent from the destination to the source. + example: 184 + - name: domain + level: core + type: keyword + ignore_above: 1024 + description: Destination domain. + - name: ip + level: core + type: ip + description: 'IP address of the destination. + + Can be one or multiple IPv4 or IPv6 addresses.' + - name: packets + level: core + type: long + description: Packets sent from the destination to the source. + example: 12 + - name: port + level: core + type: long + format: string + description: Port of the destination. + - name: registered_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The highest registered destination domain, stripped of the subdomain. + + For example, the registered domain for "foo.google.com" is "google.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: google.com + - name: top_level_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for google.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk +- name: dns + title: DNS + group: 2 + description: 'Fields describing DNS queries and answers. + + DNS events should either represent a single DNS query prior to getting answers + (`dns.type:query`) or they should represent a full exchange and contain the + query details as well as all of the answers that were provided for this query + (`dns.type:answer`).' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.options + level: custom + type: keyword + ignore_above: 1024 + description: DNS options field, uint64, representing as a keyword to avoid overflows + in ES + default_field: false + - name: Ext.status + level: custom + type: long + description: DNS status field, uint32 + default_field: false + - name: question.name + level: extended + type: keyword + ignore_above: 1024 + description: 'The name being queried. + + If the name field contains non-printable characters (below 32 or above 126), + those characters should be represented as escaped base 10 integers (\DDD). + Back slashes and quotes should be escaped. Tabs, carriage returns, and line + feeds should be converted to \t, \r, and \n respectively.' + example: www.google.com + - name: question.registered_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The highest registered domain, stripped of the subdomain. + + For example, the registered domain for "foo.google.com" is "google.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: google.com + - name: question.subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain is all of the labels under the registered_domain. + + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: www + - name: question.top_level_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for google.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + - name: question.type + level: extended + type: keyword + ignore_above: 1024 + description: The type of record being queried. + example: AAAA + - name: resolved_ip + level: extended + type: ip + description: 'Array containing all IPs seen in `answers.data`. + + The `answers` array can be difficult to use, because of the variety of data + formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` + makes it possible to index them as IP addresses, and makes them easier to + visualize and query for.' + example: + - 10.10.10.10 + - 10.10.10.11 +- name: ecs + title: ECS + group: 2 + description: Meta-information specific to ECS. + type: group + fields: + - name: version + level: core + required: true + type: keyword + ignore_above: 1024 + description: 'ECS version this event conforms to. `ecs.version` is a required + field and must exist in all events. + + When querying across multiple indices -- which may conform to slightly different + ECS versions -- this field lets integrations adjust to the schema version + of the events.' + example: 1.0.0 +- name: event + title: Event + group: 2 + description: 'The event fields are used for context information about the log + or metric event itself. + + A log is defined as an event containing details of something that happened. + Log events must include the time at which the thing happened. Examples of log + events include a process starting on a host, a network packet being sent from + a source to a destination, or a network connection between a client and a server + being initiated or closed. A metric is defined as an event containing one or + more numerical measurements and the time at which the measurement was taken. + Examples of metric events include memory pressure measured on a host and device + temperature. See the `event.kind` definition in this section for additional + details about metric and state events.' + type: group + fields: + - name: action + level: core + type: keyword + ignore_above: 1024 + description: 'The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is + normally defined by the implementer.' + example: user-password-change + - name: category + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + second level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process + activity. This field is closely related to `event.type`, which is used as + a subcategory. + + This field is an array. This will allow proper categorization of some events + that fall in multiple categories.' + example: authentication + - name: created + level: core + type: date + description: 'event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' + - name: dataset + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes + from. + + It''s recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name.' + example: apache.access + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique ID to describe the event. + example: 8a4f500d + - name: kind + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + highest level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the + event contains, without being specific to the contents of the event. For example, + values of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, + it may also help understand whether the data coming in at a regular interval + or not.' + example: alert + - name: module + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module.' + example: apache + - name: sequence + level: extended + type: long + format: string + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regardless of the timestamp precision.' + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + third level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along + with the `event.category` field values, enables filtering events down to a + level appropriate for single visualization. + + This field is an array. This will allow proper categorization of some events + that fall in multiple event types.' +- name: group + title: Group + group: 2 + description: The group fields are meant to represent groups that are relevant + to the event. + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.real + level: custom + type: object + object_type: keyword + description: Group info prior to any setgid operations. + default_field: false + - name: Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the + event happened, or from which the measurement was taken. Host types include + hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified + domain name, or a name specified by the user. The sender decides which value + to use.' + - name: os.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: os.Ext.variant + level: custom + type: keyword + ignore_above: 1024 + description: A string value or phrase that further aid to classify or qualify + the operating system (OS). For example the distribution for a Linux OS will + be entered in this field. + example: Ubuntu + default_field: false + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, including the version or code name. + example: Mac OS Mojave + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 +- name: http + title: HTTP + group: 2 + description: Fields related to HTTP activity. Use the `url` field set to store + the url of the request. + type: group + fields: + - name: request.body.bytes + level: extended + type: long + format: bytes + description: Size in bytes of the request body. + example: 887 + - name: request.body.content + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: The full HTTP request body. + example: Hello world + - name: request.bytes + level: extended + type: long + format: bytes + description: Total size in bytes of the request (body and headers). + example: 1437 + - name: response.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: response.Ext.version + level: custom + type: keyword + ignore_above: 1024 + description: HTTP version + default_field: false + - name: response.body.bytes + level: extended + type: long + format: bytes + description: Size in bytes of the response body. + example: 887 + - name: response.body.content + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: The full HTTP response body. + example: Hello world + - name: response.bytes + level: extended + type: long + format: bytes + description: Total size in bytes of the response (body and headers). + example: 1437 + - name: response.status_code + level: extended + type: long + format: string + description: HTTP response status code. + example: 404 +- name: network + title: Network + group: 2 + description: 'The network is defined as the communication path over which a host + or network event happens. + + The network.* fields should be populated with details about the network activity + associated with an event.' + type: group + fields: + - name: bytes + level: core + type: long + format: bytes + description: 'Total bytes transferred in both directions. + + If `source.bytes` and `destination.bytes` are known, `network.bytes` is their + sum.' + example: 368 + - name: community_id + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of source and destination IPs and ports, as well as the + protocol used in a communication. This is a tool-agnostic standard to identify + flows. + + Learn more at https://github.com/corelight/community-id-spec.' + example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= + - name: direction + level: core + type: keyword + ignore_above: 1024 + description: "Direction of the network traffic.\nRecommended values are:\n \ + \ * inbound\n * outbound\n * internal\n * external\n * unknown\n\nWhen\ + \ mapping events from a host-based monitoring context, populate this field\ + \ from the host's point of view.\nWhen mapping events from a network or perimeter-based\ + \ monitoring context, populate this field from the point of view of your network\ + \ perimeter." + example: inbound + - name: iana_number + level: extended + type: keyword + ignore_above: 1024 + description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). + Standardized list of protocols. This aligns well with NetFlow and sFlow related + logs which use the IANA Protocol Number. + example: 6 + - name: packets + level: core + type: long + description: 'Total packets transferred in both directions. + + If `source.packets` and `destination.packets` are known, `network.packets` + is their sum.' + example: 24 + - name: protocol + level: core + type: keyword + ignore_above: 1024 + description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol. + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: http + - name: transport + level: core + type: keyword + ignore_above: 1024 + description: 'Same as network.iana_number, but instead using the Keyword name + of the transport layer (udp, tcp, ipv6-icmp, etc.) + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: tcp + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6, + ipsec, pim, etc + + The field value must be normalized to lowercase for querying. See the documentation + section "Implementing ECS".' + example: ipv4 +- name: process + title: Process + group: 2 + description: 'These fields contain information about a process. + + These fields can help you correlate metrics information with a process id/name + from a log message. The `process.pid` often stays in the metric itself and + is copied to the global field for correlation.' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.ancestry + level: custom + type: keyword + ignore_above: 1024 + description: An array of entity_ids indicating the ancestors for this event + default_field: false + - name: entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + - name: pid + level: core + type: long + format: string + description: Process id. + example: 4242 + - name: thread.id + level: extended + type: long + format: string + description: Thread ID. + example: 4242 +- name: source + title: Source + group: 2 + description: 'Source fields describe details about the source of a packet/event. + + Source fields are usually populated in conjunction with destination fields.' + type: group + fields: + - name: address + level: extended + type: keyword + ignore_above: 1024 + description: 'Some event source addresses are defined ambiguously. The event + will sometimes list an IP, a domain or a unix socket. You should always store + the raw address in the `.address` field. + + Then it should be duplicated to `.ip` or `.domain`, depending on which one + it is.' + - name: bytes + level: core + type: long + format: bytes + description: Bytes sent from the source to the destination. + example: 184 + - name: domain + level: core + type: keyword + ignore_above: 1024 + description: Source domain. + - name: ip + level: core + type: ip + description: 'IP address of the source. + + Can be one or multiple IPv4 or IPv6 addresses.' + - name: packets + level: core + type: long + description: Packets sent from the source to the destination. + example: 12 + - name: port + level: core + type: long + format: string + description: Port of the source. + - name: registered_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The highest registered source domain, stripped of the subdomain. + + For example, the registered domain for "foo.google.com" is "google.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: google.com + - name: top_level_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for google.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk +- name: user + title: User + group: 2 + description: 'The user fields describe information about the user that is relevant + to the event. + + Fields can have one entry or multiple entries. If a user has more than one id, + provide an array that includes all of them.' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.real + level: custom + type: object + object_type: keyword + description: User info prior to any setuid operations. + default_field: false + - name: Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: One or multiple unique identifiers of the user. + default_field: false + - name: Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Short name or login of the user. + default_field: false + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifiers of the user. + - name: name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert diff --git a/packages/endpoint/0.5.0/dataset/network/manifest.yml b/packages/endpoint/0.5.0/dataset/network/manifest.yml new file mode 100644 index 0000000000..bc2135870f --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/network/manifest.yml @@ -0,0 +1,5 @@ +title: Endpoint Network Events + +type: logs + +id: endpoint.events.network diff --git a/packages/endpoint/0.5.0/dataset/policy/fields/fields.yml b/packages/endpoint/0.5.0/dataset/policy/fields/fields.yml new file mode 100644 index 0000000000..c34a8fa1f9 --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/policy/fields/fields.yml @@ -0,0 +1,424 @@ +- name: '@timestamp' + level: core + required: true + type: date + description: 'Date/time when the event originated. + + This is the date/time extracted from the event, typically representing when + the event was generated by the source. + + If the event source has no original timestamp, this value is typically populated + by the first time the event was received by the pipeline. + + Required field for all events.' + example: '2016-05-23T08:05:34.853Z' +- name: message + level: core + type: text + description: 'For log events the message field contains the log message, optimized + for viewing in a log viewer. + + For structured logs without an original message field, other fields can be concatenated + to form a human-readable summary of the event. + + If multiple messages exist, they can be combined into one message.' + example: Hello World +- name: Endpoint + title: Endpoint + group: 2 + description: Fields describing the state of the Elastic Endpoint when an event + occurs. + type: group + fields: + - name: policy + level: custom + type: object + object_type: keyword + description: The policy fields are used to hold information about applied policy. + default_field: false + - name: policy.applied + level: custom + type: object + object_type: keyword + description: information about the policy that is applied + default_field: false + - name: policy.applied.actions + level: custom + type: nested + description: actions applied during the application of the policy + enabled: false + default_field: false + - name: policy.applied.actions.message + level: custom + type: keyword + ignore_above: 1024 + description: message about the application of the action to further qualify + the status of the action + default_field: false + - name: policy.applied.actions.name + level: custom + type: keyword + ignore_above: 1024 + description: name of the action that was applied + default_field: false + - name: policy.applied.actions.status + level: custom + type: keyword + ignore_above: 1024 + description: the status of the action + default_field: false + - name: policy.applied.artifacts + level: custom + type: object + object_type: keyword + description: information about protection artifacts applied. + enabled: false + default_field: false + - name: policy.applied.artifacts.global + level: custom + type: object + object_type: keyword + description: information about global protection artifacts applied. + default_field: false + - name: policy.applied.artifacts.global.identifiers + level: custom + type: nested + description: the identifiers of global artifacts applied. + default_field: false + - name: policy.applied.artifacts.global.identifiers.name + level: custom + type: keyword + ignore_above: 1024 + description: the name of global artifact applied. + default_field: false + - name: policy.applied.artifacts.global.identifiers.sha256 + level: custom + type: keyword + ignore_above: 1024 + description: the sha256 of global artifacts applied. + default_field: false + - name: policy.applied.artifacts.global.version + level: custom + type: keyword + ignore_above: 1024 + description: the version of global artifacts applied. + default_field: false + - name: policy.applied.artifacts.user + level: custom + type: object + object_type: keyword + description: information about user protection artifacts applied. + default_field: false + - name: policy.applied.artifacts.user.identifiers + level: custom + type: nested + description: the identifiers of user artifacts applied. + default_field: false + - name: policy.applied.artifacts.user.identifiers.name + level: custom + type: keyword + ignore_above: 1024 + description: the name of user artifact applied. + default_field: false + - name: policy.applied.artifacts.user.identifiers.sha256 + level: custom + type: keyword + ignore_above: 1024 + description: the sha256 of user artifacts applied. + default_field: false + - name: policy.applied.artifacts.user.version + level: custom + type: keyword + ignore_above: 1024 + description: the version of user artifacts applied. + default_field: false + - name: policy.applied.configurations + level: custom + type: object + object_type: keyword + description: the configurations of the applied policy + enabled: false + default_field: false + - name: policy.applied.configurations.events + level: custom + type: object + object_type: keyword + description: overall event collection configuration and status of the applied + policy + default_field: false + - name: policy.applied.configurations.events.concerned_actions + level: custom + type: keyword + ignore_above: 1024 + description: all actions that were taken for event collection + default_field: false + - name: policy.applied.configurations.events.status + level: custom + type: keyword + ignore_above: 1024 + description: the overall status of event collection, this is correlated to the + status of concerned actions but not a simple sum of the actions + default_field: false + - name: policy.applied.configurations.logging + level: custom + type: object + object_type: keyword + description: overall logging configuration and status of the applied policy + default_field: false + - name: policy.applied.configurations.logging.concerned_actions + level: custom + type: keyword + ignore_above: 1024 + description: all actions that were taken for logging + default_field: false + - name: policy.applied.configurations.logging.status + level: custom + type: keyword + ignore_above: 1024 + description: the overall status of logging, this is correlated to the status + of concerned actions but not a simple sum of the actions + default_field: false + - name: policy.applied.configurations.malware + level: custom + type: object + object_type: keyword + description: overall malware configuration and status of the applied policy + default_field: false + - name: policy.applied.configurations.malware.concerned_actions + level: custom + type: keyword + ignore_above: 1024 + description: all actions that were taken for malware + default_field: false + - name: policy.applied.configurations.malware.status + level: custom + type: keyword + ignore_above: 1024 + description: the overall status of malware, this is correlated to the status + of concerned actions but not a simple sum of the actions + default_field: false + - name: policy.applied.configurations.streaming + level: custom + type: object + object_type: keyword + description: overall data streaming configuration and status of the applied + policy + default_field: false + - name: policy.applied.configurations.streaming.concerned_actions + level: custom + type: keyword + ignore_above: 1024 + description: all actions that were taken for data streaming + default_field: false + - name: policy.applied.configurations.streaming.status + level: custom + type: keyword + ignore_above: 1024 + description: the overall status of data streaming, this is correlated to the + status of concerned actions but not a simple sum of the actions + default_field: false + - name: policy.applied.id + level: custom + type: keyword + ignore_above: 1024 + description: the id of the applied policy + default_field: false + - name: policy.applied.name + level: custom + type: keyword + ignore_above: 1024 + description: the name of this applied policy + default_field: false + - name: policy.applied.response + level: custom + type: object + object_type: keyword + description: the response of actions that failed in the applied policy + enabled: false + default_field: false + - name: policy.applied.status + level: custom + type: keyword + ignore_above: 1024 + description: the status of the applied policy + default_field: false + - name: policy.applied.version + level: custom + type: keyword + ignore_above: 1024 + description: the version of this applied policy + default_field: false +- name: dataset + title: dataset + group: 2 + description: Fields describing the new indexing strategy -- + type: group + fields: + - name: name + level: custom + type: constant_keyword + description: Dataset name. + default_field: false + - name: namespace + level: custom + type: constant_keyword + description: Dataset namespace. + default_field: false + - name: type + level: custom + type: constant_keyword + description: Dataset type. + default_field: false +- name: ecs + title: ECS + group: 2 + description: Meta-information specific to ECS. + type: group + fields: + - name: version + level: core + required: true + type: keyword + ignore_above: 1024 + description: 'ECS version this event conforms to. `ecs.version` is a required + field and must exist in all events. + + When querying across multiple indices -- which may conform to slightly different + ECS versions -- this field lets integrations adjust to the schema version + of the events.' + example: 1.0.0 +- name: event + title: Event + group: 2 + description: 'The event fields are used for context information about the log + or metric event itself. + + A log is defined as an event containing details of something that happened. + Log events must include the time at which the thing happened. Examples of log + events include a process starting on a host, a network packet being sent from + a source to a destination, or a network connection between a client and a server + being initiated or closed. A metric is defined as an event containing one or + more numerical measurements and the time at which the measurement was taken. + Examples of metric events include memory pressure measured on a host and device + temperature. See the `event.kind` definition in this section for additional + details about metric and state events.' + type: group + fields: + - name: action + level: core + type: keyword + ignore_above: 1024 + description: 'The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is + normally defined by the implementer.' + example: user-password-change + - name: category + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + second level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process + activity. This field is closely related to `event.type`, which is used as + a subcategory. + + This field is an array. This will allow proper categorization of some events + that fall in multiple categories.' + example: authentication + - name: created + level: core + type: date + description: 'event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' + - name: dataset + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes + from. + + It''s recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name.' + example: apache.access + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique ID to describe the event. + example: 8a4f500d + - name: kind + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + highest level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the + event contains, without being specific to the contents of the event. For example, + values of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, + it may also help understand whether the data coming in at a regular interval + or not.' + example: alert + - name: module + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module.' + example: apache + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + third level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along + with the `event.category` field values, enables filtering events down to a + level appropriate for single visualization. + + This field is an array. This will allow proper categorization of some events + that fall in multiple event types.' +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the + event happened, or from which the measurement was taken. Host types include + hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' diff --git a/packages/endpoint/0.5.0/dataset/policy/manifest.yml b/packages/endpoint/0.5.0/dataset/policy/manifest.yml new file mode 100644 index 0000000000..035ffbd16b --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/policy/manifest.yml @@ -0,0 +1,3 @@ +title: Endpoint Policy Response + +type: metrics diff --git a/packages/endpoint/0.5.0/dataset/process/fields/fields.yml b/packages/endpoint/0.5.0/dataset/process/fields/fields.yml new file mode 100644 index 0000000000..d75a59edf5 --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/process/fields/fields.yml @@ -0,0 +1,696 @@ +- name: '@timestamp' + level: core + required: true + type: date + description: 'Date/time when the event originated. + + This is the date/time extracted from the event, typically representing when + the event was generated by the source. + + If the event source has no original timestamp, this value is typically populated + by the first time the event was received by the pipeline. + + Required field for all events.' + example: '2016-05-23T08:05:34.853Z' +- name: message + level: core + type: text + description: 'For log events the message field contains the log message, optimized + for viewing in a log viewer. + + For structured logs without an original message field, other fields can be concatenated + to form a human-readable summary of the event. + + If multiple messages exist, they can be combined into one message.' + example: Hello World +- name: agent + title: Agent + group: 2 + description: 'The agent fields contain the data about the software entity, if + any, that collects, detects, or observes events on a host, or takes measurements + on a host. + + Examples include Beats. Agents may also run on observers. ECS agent.* fields + shall be populated with details of the agent running on the host or observer + where the event happened or the measurement was taken.' + footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. + For APM, it is the agent running in the app/service. The agent information does + not change if data is sent through queuing systems like Kafka, Redis, or processing + systems such as Logstash or APM Server.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique identifier of this agent (if one exists). + + Example: For Beats this would be beat.id.' + example: 8a4f500d + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of the agent. + + The agent type stays always the same and should be given by the agent used. + In case of Filebeat the agent would always be Filebeat also if two Filebeat + instances are run on the same machine.' + example: filebeat + - name: version + level: core + type: keyword + ignore_above: 1024 + description: Version of the agent. + example: 6.0.0-rc2 +- name: dataset + title: dataset + group: 2 + description: Fields describing the new indexing strategy -- + type: group + fields: + - name: name + level: custom + type: constant_keyword + description: Dataset name. + default_field: false + - name: namespace + level: custom + type: constant_keyword + description: Dataset namespace. + default_field: false + - name: type + level: custom + type: constant_keyword + description: Dataset type. + default_field: false +- name: ecs + title: ECS + group: 2 + description: Meta-information specific to ECS. + type: group + fields: + - name: version + level: core + required: true + type: keyword + ignore_above: 1024 + description: 'ECS version this event conforms to. `ecs.version` is a required + field and must exist in all events. + + When querying across multiple indices -- which may conform to slightly different + ECS versions -- this field lets integrations adjust to the schema version + of the events.' + example: 1.0.0 +- name: event + title: Event + group: 2 + description: 'The event fields are used for context information about the log + or metric event itself. + + A log is defined as an event containing details of something that happened. + Log events must include the time at which the thing happened. Examples of log + events include a process starting on a host, a network packet being sent from + a source to a destination, or a network connection between a client and a server + being initiated or closed. A metric is defined as an event containing one or + more numerical measurements and the time at which the measurement was taken. + Examples of metric events include memory pressure measured on a host and device + temperature. See the `event.kind` definition in this section for additional + details about metric and state events.' + type: group + fields: + - name: action + level: core + type: keyword + ignore_above: 1024 + description: 'The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is + normally defined by the implementer.' + example: user-password-change + - name: category + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + second level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process + activity. This field is closely related to `event.type`, which is used as + a subcategory. + + This field is an array. This will allow proper categorization of some events + that fall in multiple categories.' + example: authentication + - name: created + level: core + type: date + description: 'event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' + - name: dataset + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes + from. + + It''s recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name.' + example: apache.access + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique ID to describe the event. + example: 8a4f500d + - name: kind + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + highest level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the + event contains, without being specific to the contents of the event. For example, + values of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, + it may also help understand whether the data coming in at a regular interval + or not.' + example: alert + - name: module + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module.' + example: apache + - name: sequence + level: extended + type: long + format: string + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regardless of the timestamp precision.' + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + third level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along + with the `event.category` field values, enables filtering events down to a + level appropriate for single visualization. + + This field is an array. This will allow proper categorization of some events + that fall in multiple event types.' +- name: group + title: Group + group: 2 + description: The group fields are meant to represent groups that are relevant + to the event. + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.real + level: custom + type: object + object_type: keyword + description: Group info prior to any setgid operations. + default_field: false + - name: Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the + event happened, or from which the measurement was taken. Host types include + hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified + domain name, or a name specified by the user. The sender decides which value + to use.' + - name: os.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: os.Ext.variant + level: custom + type: keyword + ignore_above: 1024 + description: A string value or phrase that further aid to classify or qualify + the operating system (OS). For example the distribution for a Linux OS will + be entered in this field. + example: Ubuntu + default_field: false + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, including the version or code name. + example: Mac OS Mojave + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 +- name: package + title: Package + group: 2 + description: These fields contain information about an installed software package. + It contains general information about a package, such as name, version or size. + It also contains installation details, such as time or location. + type: group + fields: + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Package name + example: go +- name: process + title: Process + group: 2 + description: 'These fields contain information about a process. + + These fields can help you correlate metrics information with a process id/name + from a log message. The `process.pid` often stays in the metric itself and + is copied to the global field for correlation.' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.ancestry + level: custom + type: keyword + ignore_above: 1024 + description: An array of entity_ids indicating the ancestors for this event + default_field: false + - name: Ext.authentication_id + level: custom + type: keyword + ignore_above: 1024 + description: Process authentication ID + default_field: false + - name: Ext.session + level: custom + type: keyword + ignore_above: 1024 + description: Session information for the current process + default_field: false + - name: Ext.token.elevation + level: custom + type: boolean + description: Whether the token is elevated or not + default_field: false + - name: Ext.token.elevation_type + level: custom + type: keyword + ignore_above: 1024 + description: What level of elevation the token has + example: one of "default", "full", "limited" + default_field: false + - name: Ext.token.integrity_level_name + level: custom + type: keyword + ignore_above: 1024 + description: Human readable integrity level. + example: one of "system", "high", "medium", "low", "untrusted" + default_field: false + - name: args + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: + - /usr/bin/ssh + - -l + - user + - 10.0.0.16 + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: command_line + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + default_field: false + - name: entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + - name: exit_code + level: extended + type: long + description: 'The exit code of the process, if this is a termination event. + + The field should be absent if there is no exit code for the event (e.g. process + start).' + example: 137 + default_field: false + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + - name: parent.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: parent.Ext.real + level: custom + type: object + object_type: keyword + description: The field set containing parent process info in case of any ppid + spoofing. + default_field: false + - name: parent.Ext.real.pid + level: custom + type: long + description: The ppid of the process that actually spawned the current process, + in case of ppid spoofing. + default_field: false + - name: parent.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: parent.executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + default_field: false + - name: parent.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + default_field: false + - name: parent.pid + level: core + type: long + format: string + description: Process id. + example: 4242 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pid + level: core + type: long + format: string + description: Process id. + example: 4242 + - name: thread.id + level: extended + type: long + format: string + description: Thread ID. + example: 4242 +- name: user + title: User + group: 2 + description: 'The user fields describe information about the user that is relevant + to the event. + + Fields can have one entry or multiple entries. If a user has more than one id, + provide an array that includes all of them.' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.real + level: custom + type: object + object_type: keyword + description: User info prior to any setuid operations. + default_field: false + - name: Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: One or multiple unique identifiers of the user. + default_field: false + - name: Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Short name or login of the user. + default_field: false + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifiers of the user. + - name: name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert diff --git a/packages/endpoint/0.5.0/dataset/process/manifest.yml b/packages/endpoint/0.5.0/dataset/process/manifest.yml new file mode 100644 index 0000000000..fc5b1d21f5 --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/process/manifest.yml @@ -0,0 +1,5 @@ +title: Endpoint Process Events + +type: logs + +id: endpoint.events.process diff --git a/packages/endpoint/0.5.0/dataset/registry/fields/fields.yml b/packages/endpoint/0.5.0/dataset/registry/fields/fields.yml new file mode 100644 index 0000000000..d0c91726b6 --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/registry/fields/fields.yml @@ -0,0 +1,569 @@ +- name: '@timestamp' + level: core + required: true + type: date + description: 'Date/time when the event originated. + + This is the date/time extracted from the event, typically representing when + the event was generated by the source. + + If the event source has no original timestamp, this value is typically populated + by the first time the event was received by the pipeline. + + Required field for all events.' + example: '2016-05-23T08:05:34.853Z' +- name: message + level: core + type: text + description: 'For log events the message field contains the log message, optimized + for viewing in a log viewer. + + For structured logs without an original message field, other fields can be concatenated + to form a human-readable summary of the event. + + If multiple messages exist, they can be combined into one message.' + example: Hello World +- name: agent + title: Agent + group: 2 + description: 'The agent fields contain the data about the software entity, if + any, that collects, detects, or observes events on a host, or takes measurements + on a host. + + Examples include Beats. Agents may also run on observers. ECS agent.* fields + shall be populated with details of the agent running on the host or observer + where the event happened or the measurement was taken.' + footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. + For APM, it is the agent running in the app/service. The agent information does + not change if data is sent through queuing systems like Kafka, Redis, or processing + systems such as Logstash or APM Server.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique identifier of this agent (if one exists). + + Example: For Beats this would be beat.id.' + example: 8a4f500d + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of the agent. + + The agent type stays always the same and should be given by the agent used. + In case of Filebeat the agent would always be Filebeat also if two Filebeat + instances are run on the same machine.' + example: filebeat + - name: version + level: core + type: keyword + ignore_above: 1024 + description: Version of the agent. + example: 6.0.0-rc2 +- name: dataset + title: dataset + group: 2 + description: Fields describing the new indexing strategy -- + type: group + fields: + - name: name + level: custom + type: constant_keyword + description: Dataset name. + default_field: false + - name: namespace + level: custom + type: constant_keyword + description: Dataset namespace. + default_field: false + - name: type + level: custom + type: constant_keyword + description: Dataset type. + default_field: false +- name: ecs + title: ECS + group: 2 + description: Meta-information specific to ECS. + type: group + fields: + - name: version + level: core + required: true + type: keyword + ignore_above: 1024 + description: 'ECS version this event conforms to. `ecs.version` is a required + field and must exist in all events. + + When querying across multiple indices -- which may conform to slightly different + ECS versions -- this field lets integrations adjust to the schema version + of the events.' + example: 1.0.0 +- name: event + title: Event + group: 2 + description: 'The event fields are used for context information about the log + or metric event itself. + + A log is defined as an event containing details of something that happened. + Log events must include the time at which the thing happened. Examples of log + events include a process starting on a host, a network packet being sent from + a source to a destination, or a network connection between a client and a server + being initiated or closed. A metric is defined as an event containing one or + more numerical measurements and the time at which the measurement was taken. + Examples of metric events include memory pressure measured on a host and device + temperature. See the `event.kind` definition in this section for additional + details about metric and state events.' + type: group + fields: + - name: action + level: core + type: keyword + ignore_above: 1024 + description: 'The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is + normally defined by the implementer.' + example: user-password-change + - name: category + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + second level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process + activity. This field is closely related to `event.type`, which is used as + a subcategory. + + This field is an array. This will allow proper categorization of some events + that fall in multiple categories.' + example: authentication + - name: created + level: core + type: date + description: 'event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' + - name: dataset + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes + from. + + It''s recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name.' + example: apache.access + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique ID to describe the event. + example: 8a4f500d + - name: kind + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + highest level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the + event contains, without being specific to the contents of the event. For example, + values of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, + it may also help understand whether the data coming in at a regular interval + or not.' + example: alert + - name: module + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module.' + example: apache + - name: sequence + level: extended + type: long + format: string + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regardless of the timestamp precision.' + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + third level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along + with the `event.category` field values, enables filtering events down to a + level appropriate for single visualization. + + This field is an array. This will allow proper categorization of some events + that fall in multiple event types.' +- name: group + title: Group + group: 2 + description: The group fields are meant to represent groups that are relevant + to the event. + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.real + level: custom + type: object + object_type: keyword + description: Group info prior to any setgid operations. + default_field: false + - name: Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the + event happened, or from which the measurement was taken. Host types include + hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified + domain name, or a name specified by the user. The sender decides which value + to use.' + - name: os.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: os.Ext.variant + level: custom + type: keyword + ignore_above: 1024 + description: A string value or phrase that further aid to classify or qualify + the operating system (OS). For example the distribution for a Linux OS will + be entered in this field. + example: Ubuntu + default_field: false + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, including the version or code name. + example: Mac OS Mojave + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 +- name: process + title: Process + group: 2 + description: 'These fields contain information about a process. + + These fields can help you correlate metrics information with a process id/name + from a log message. The `process.pid` often stays in the metric itself and + is copied to the global field for correlation.' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.ancestry + level: custom + type: keyword + ignore_above: 1024 + description: An array of entity_ids indicating the ancestors for this event + default_field: false + - name: entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + - name: pid + level: core + type: long + format: string + description: Process id. + example: 4242 + - name: thread.id + level: extended + type: long + format: string + description: Thread ID. + example: 4242 +- name: registry + title: Registry + group: 2 + description: Fields related to Windows Registry operations. + type: group + fields: + - name: data.bytes + level: extended + type: keyword + ignore_above: 1024 + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + default_field: false + - name: data.strings + level: core + type: keyword + ignore_above: 1024 + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + default_field: false + - name: hive + level: core + type: keyword + ignore_above: 1024 + description: Abbreviated name for the hive. + example: HKLM + default_field: false + - name: key + level: core + type: keyword + ignore_above: 1024 + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + default_field: false + - name: path + level: core + type: keyword + ignore_above: 1024 + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + default_field: false + - name: value + level: core + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger + default_field: false +- name: user + title: User + group: 2 + description: 'The user fields describe information about the user that is relevant + to the event. + + Fields can have one entry or multiple entries. If a user has more than one id, + provide an array that includes all of them.' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.real + level: custom + type: object + object_type: keyword + description: User info prior to any setuid operations. + default_field: false + - name: Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: One or multiple unique identifiers of the user. + default_field: false + - name: Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Short name or login of the user. + default_field: false + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifiers of the user. + - name: name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert diff --git a/packages/endpoint/0.5.0/dataset/registry/manifest.yml b/packages/endpoint/0.5.0/dataset/registry/manifest.yml new file mode 100644 index 0000000000..497aed83c8 --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/registry/manifest.yml @@ -0,0 +1,5 @@ +title: Endpoint Registry Events + +type: logs + +id: endpoint.events.registry diff --git a/packages/endpoint/0.5.0/dataset/security/fields/fields.yml b/packages/endpoint/0.5.0/dataset/security/fields/fields.yml new file mode 100644 index 0000000000..897403acab --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/security/fields/fields.yml @@ -0,0 +1,510 @@ +- name: '@timestamp' + level: core + required: true + type: date + description: 'Date/time when the event originated. + + This is the date/time extracted from the event, typically representing when + the event was generated by the source. + + If the event source has no original timestamp, this value is typically populated + by the first time the event was received by the pipeline. + + Required field for all events.' + example: '2016-05-23T08:05:34.853Z' +- name: message + level: core + type: text + description: 'For log events the message field contains the log message, optimized + for viewing in a log viewer. + + For structured logs without an original message field, other fields can be concatenated + to form a human-readable summary of the event. + + If multiple messages exist, they can be combined into one message.' + example: Hello World +- name: agent + title: Agent + group: 2 + description: 'The agent fields contain the data about the software entity, if + any, that collects, detects, or observes events on a host, or takes measurements + on a host. + + Examples include Beats. Agents may also run on observers. ECS agent.* fields + shall be populated with details of the agent running on the host or observer + where the event happened or the measurement was taken.' + footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat. + For APM, it is the agent running in the app/service. The agent information does + not change if data is sent through queuing systems like Kafka, Redis, or processing + systems such as Logstash or APM Server.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique identifier of this agent (if one exists). + + Example: For Beats this would be beat.id.' + example: 8a4f500d + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of the agent. + + The agent type stays always the same and should be given by the agent used. + In case of Filebeat the agent would always be Filebeat also if two Filebeat + instances are run on the same machine.' + example: filebeat + - name: version + level: core + type: keyword + ignore_above: 1024 + description: Version of the agent. + example: 6.0.0-rc2 +- name: dataset + title: dataset + group: 2 + description: Fields describing the new indexing strategy -- + type: group + fields: + - name: name + level: custom + type: constant_keyword + description: Dataset name. + default_field: false + - name: namespace + level: custom + type: constant_keyword + description: Dataset namespace. + default_field: false + - name: type + level: custom + type: constant_keyword + description: Dataset type. + default_field: false +- name: ecs + title: ECS + group: 2 + description: Meta-information specific to ECS. + type: group + fields: + - name: version + level: core + required: true + type: keyword + ignore_above: 1024 + description: 'ECS version this event conforms to. `ecs.version` is a required + field and must exist in all events. + + When querying across multiple indices -- which may conform to slightly different + ECS versions -- this field lets integrations adjust to the schema version + of the events.' + example: 1.0.0 +- name: event + title: Event + group: 2 + description: 'The event fields are used for context information about the log + or metric event itself. + + A log is defined as an event containing details of something that happened. + Log events must include the time at which the thing happened. Examples of log + events include a process starting on a host, a network packet being sent from + a source to a destination, or a network connection between a client and a server + being initiated or closed. A metric is defined as an event containing one or + more numerical measurements and the time at which the measurement was taken. + Examples of metric events include memory pressure measured on a host and device + temperature. See the `event.kind` definition in this section for additional + details about metric and state events.' + type: group + fields: + - name: action + level: core + type: keyword + ignore_above: 1024 + description: 'The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is + normally defined by the implementer.' + example: user-password-change + - name: category + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + second level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process + activity. This field is closely related to `event.type`, which is used as + a subcategory. + + This field is an array. This will allow proper categorization of some events + that fall in multiple categories.' + example: authentication + - name: created + level: core + type: date + description: 'event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' + - name: dataset + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes + from. + + It''s recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name.' + example: apache.access + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique ID to describe the event. + example: 8a4f500d + - name: kind + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + highest level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the + event contains, without being specific to the contents of the event. For example, + values of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, + it may also help understand whether the data coming in at a regular interval + or not.' + example: alert + - name: module + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module.' + example: apache + - name: sequence + level: extended + type: long + format: string + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regardless of the timestamp precision.' + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + third level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along + with the `event.category` field values, enables filtering events down to a + level appropriate for single visualization. + + This field is an array. This will allow proper categorization of some events + that fall in multiple event types.' +- name: group + title: Group + group: 2 + description: The group fields are meant to represent groups that are relevant + to the event. + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.real + level: custom + type: object + object_type: keyword + description: Group info prior to any setgid operations. + default_field: false + - name: Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the + event happened, or from which the measurement was taken. Host types include + hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified + domain name, or a name specified by the user. The sender decides which value + to use.' + - name: os.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: os.Ext.variant + level: custom + type: keyword + ignore_above: 1024 + description: A string value or phrase that further aid to classify or qualify + the operating system (OS). For example the distribution for a Linux OS will + be entered in this field. + example: Ubuntu + default_field: false + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, including the version or code name. + example: Mac OS Mojave + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 +- name: process + title: Process + group: 2 + description: 'These fields contain information about a process. + + These fields can help you correlate metrics information with a process id/name + from a log message. The `process.pid` often stays in the metric itself and + is copied to the global field for correlation.' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.ancestry + level: custom + type: keyword + ignore_above: 1024 + description: An array of entity_ids indicating the ancestors for this event + default_field: false + - name: entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Absolute path to the process executable. + example: /usr/bin/ssh + - name: name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + - name: pid + level: core + type: long + format: string + description: Process id. + example: 4242 + - name: thread.id + level: extended + type: long + format: string + description: Thread ID. + example: 4242 +- name: user + title: User + group: 2 + description: 'The user fields describe information about the user that is relevant + to the event. + + Fields can have one entry or multiple entries. If a user has more than one id, + provide an array that includes all of them.' + type: group + fields: + - name: Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: Ext.real + level: custom + type: object + object_type: keyword + description: User info prior to any setuid operations. + default_field: false + - name: Ext.real.id + level: custom + type: keyword + ignore_above: 1024 + description: One or multiple unique identifiers of the user. + default_field: false + - name: Ext.real.name + level: custom + type: keyword + ignore_above: 1024 + description: Short name or login of the user. + default_field: false + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the directory the user is a member of. + + For example, an LDAP or Active Directory domain name.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifiers of the user. + - name: name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Short name or login of the user. + example: albert diff --git a/packages/endpoint/0.5.0/dataset/security/manifest.yml b/packages/endpoint/0.5.0/dataset/security/manifest.yml new file mode 100644 index 0000000000..5368ba3035 --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/security/manifest.yml @@ -0,0 +1,5 @@ +title: Endpoint Security Events + +type: logs + +id: endpoint.events.security diff --git a/packages/endpoint/0.5.0/dataset/telemetry/fields/fields.yml b/packages/endpoint/0.5.0/dataset/telemetry/fields/fields.yml new file mode 100644 index 0000000000..bce308517b --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/telemetry/fields/fields.yml @@ -0,0 +1,444 @@ +- name: '@timestamp' + level: core + required: true + type: date + description: 'Date/time when the event originated. + + This is the date/time extracted from the event, typically representing when + the event was generated by the source. + + If the event source has no original timestamp, this value is typically populated + by the first time the event was received by the pipeline. + + Required field for all events.' + example: '2016-05-23T08:05:34.853Z' +- name: message + level: core + type: text + description: 'For log events the message field contains the log message, optimized + for viewing in a log viewer. + + For structured logs without an original message field, other fields can be concatenated + to form a human-readable summary of the event. + + If multiple messages exist, they can be combined into one message.' + example: Hello World +- name: Endpoint + title: Endpoint + group: 2 + description: Fields describing the state of the Elastic Endpoint when an event + occurs. + type: group + fields: + - name: metrics + level: custom + type: object + object_type: keyword + description: Metrics fields hold the endpoint and system's performance metrics + default_field: false + - name: metrics.cpu + level: custom + type: object + object_type: keyword + description: CPU statistics + default_field: false + - name: metrics.cpu.endpoint + level: custom + type: object + object_type: keyword + description: CPU metrics for the endpoint + default_field: false + - name: metrics.cpu.endpoint.histogram + level: custom + type: histogram + description: This field defines an elasticsearch histogram field (https://www.elastic.co/guide/en/elasticsearch/reference/current/histogram.html#histogram) + The values field includes 20 buckets (each bucket is 5%) representing the + cpu usage The counts field includes 20 buckets of how many times the endpoint's + cpu usage fell into each bucket + default_field: false + - name: metrics.cpu.endpoint.latest + level: custom + type: half_float + description: Average CPU over the last sample interval + default_field: false + - name: metrics.cpu.endpoint.mean + level: custom + type: half_float + description: Average CPU load used by the endpoint + default_field: false + - name: metrics.disks + level: custom + type: object + object_type: keyword + description: An array of disk information for the host + enabled: false + default_field: false + - name: metrics.disks.device + level: custom + type: keyword + ignore_above: 1024 + description: Device name + default_field: false + - name: metrics.disks.endpoint_drive + level: custom + type: boolean + description: This field will be present and set to true only for the drive that + holds the installed endpoint + default_field: false + - name: metrics.disks.free + level: custom + type: long + description: The number of bytes marked as free on the disk + default_field: false + - name: metrics.disks.fstype + level: custom + type: keyword + ignore_above: 1024 + description: The file system type for the drive + default_field: false + - name: metrics.disks.mount + level: custom + type: keyword + ignore_above: 1024 + description: The disks mount location + default_field: false + - name: metrics.disks.total + level: custom + type: long + description: The size of the disk in bytes + default_field: false + - name: metrics.memory + level: custom + type: object + object_type: keyword + description: Memory statistics + default_field: false + - name: metrics.memory.endpoint + level: custom + type: object + object_type: keyword + description: Endpoint memory utilization + default_field: false + - name: metrics.memory.endpoint.private + level: custom + type: object + object_type: keyword + description: The memory private to the endpoint + default_field: false + - name: metrics.memory.endpoint.private.latest + level: custom + type: long + description: The memory usage by the endpoint for the last sample interval + default_field: false + - name: metrics.memory.endpoint.private.mean + level: custom + type: long + description: Average memory usage by the endpoint since its start + default_field: false + - name: metrics.threads + level: custom + type: object + object_type: keyword + description: Statistics about the individual threads of the system (array) + enabled: false + default_field: false + - name: metrics.uptime + level: custom + type: object + object_type: keyword + description: Number of seconds since boot + default_field: false + - name: metrics.uptime.endpoint + level: custom + type: long + description: Number of seconds since the endpoint was started + default_field: false + - name: metrics.uptime.system + level: custom + type: long + description: Number of seconds since the system was started + default_field: false +- name: dataset + title: dataset + group: 2 + description: Fields describing the new indexing strategy -- + type: group + fields: + - name: name + level: custom + type: constant_keyword + description: Dataset name. + default_field: false + - name: namespace + level: custom + type: constant_keyword + description: Dataset namespace. + default_field: false + - name: type + level: custom + type: constant_keyword + description: Dataset type. + default_field: false +- name: ecs + title: ECS + group: 2 + description: Meta-information specific to ECS. + type: group + fields: + - name: version + level: core + required: true + type: keyword + ignore_above: 1024 + description: 'ECS version this event conforms to. `ecs.version` is a required + field and must exist in all events. + + When querying across multiple indices -- which may conform to slightly different + ECS versions -- this field lets integrations adjust to the schema version + of the events.' + example: 1.0.0 +- name: event + title: Event + group: 2 + description: 'The event fields are used for context information about the log + or metric event itself. + + A log is defined as an event containing details of something that happened. + Log events must include the time at which the thing happened. Examples of log + events include a process starting on a host, a network packet being sent from + a source to a destination, or a network connection between a client and a server + being initiated or closed. A metric is defined as an event containing one or + more numerical measurements and the time at which the measurement was taken. + Examples of metric events include memory pressure measured on a host and device + temperature. See the `event.kind` definition in this section for additional + details about metric and state events.' + type: group + fields: + - name: action + level: core + type: keyword + ignore_above: 1024 + description: 'The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is + normally defined by the implementer.' + example: user-password-change + - name: category + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + second level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process + activity. This field is closely related to `event.type`, which is used as + a subcategory. + + This field is an array. This will allow proper categorization of some events + that fall in multiple categories.' + example: authentication + - name: created + level: core + type: date + description: 'event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' + - name: dataset + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes + from. + + It''s recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name.' + example: apache.access + - name: end + level: extended + type: date + description: event.end contains the date when the event ended or when the activity + was last observed. + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique ID to describe the event. + example: 8a4f500d + - name: kind + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + highest level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the + event contains, without being specific to the contents of the event. For example, + values of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, + it may also help understand whether the data coming in at a regular interval + or not.' + example: alert + - name: module + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module.' + example: apache + - name: sequence + level: extended + type: long + format: string + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regardless of the timestamp precision.' + - name: start + level: extended + type: date + description: event.start contains the date when the event started or when the + activity was first observed. + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + third level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along + with the `event.category` field values, enables filtering events down to a + level appropriate for single visualization. + + This field is an array. This will allow proper categorization of some events + that fall in multiple event types.' +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the + event happened, or from which the measurement was taken. Host types include + hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified + domain name, or a name specified by the user. The sender decides which value + to use.' + - name: os.Ext + level: custom + type: object + object_type: keyword + description: Object for all custom defined fields to live in. + default_field: false + - name: os.Ext.variant + level: custom + type: keyword + ignore_above: 1024 + description: A string value or phrase that further aid to classify or qualify + the operating system (OS). For example the distribution for a Linux OS will + be entered in this field. + example: Ubuntu + default_field: false + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, including the version or code name. + example: Mac OS Mojave + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 diff --git a/packages/endpoint/0.5.0/dataset/telemetry/manifest.yml b/packages/endpoint/0.5.0/dataset/telemetry/manifest.yml new file mode 100644 index 0000000000..f02dad4783 --- /dev/null +++ b/packages/endpoint/0.5.0/dataset/telemetry/manifest.yml @@ -0,0 +1,3 @@ +title: Endpoint Telemetry + +type: metrics diff --git a/packages/endpoint/0.5.0/docs/README.md b/packages/endpoint/0.5.0/docs/README.md new file mode 100644 index 0000000000..5748706855 --- /dev/null +++ b/packages/endpoint/0.5.0/docs/README.md @@ -0,0 +1,3 @@ +# Endpoint package + +This is a module for the Endpoint Kibana App and Elastic Endpoint. It sets up the templates, index patterns, aliases, and dashboards. diff --git a/packages/endpoint/0.5.0/img/logo-endpoint-64-color.svg b/packages/endpoint/0.5.0/img/logo-endpoint-64-color.svg new file mode 100644 index 0000000000..b03007a76f --- /dev/null +++ b/packages/endpoint/0.5.0/img/logo-endpoint-64-color.svg @@ -0,0 +1,7 @@ + + + + + + + diff --git a/packages/endpoint/0.5.0/kibana/dashboard/826759f0-7074-11ea-9bc8-6b38f4d29a16.json b/packages/endpoint/0.5.0/kibana/dashboard/826759f0-7074-11ea-9bc8-6b38f4d29a16.json new file mode 100644 index 0000000000..30035b18ed --- /dev/null +++ b/packages/endpoint/0.5.0/kibana/dashboard/826759f0-7074-11ea-9bc8-6b38f4d29a16.json @@ -0,0 +1,53 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Endpoint Data Filter\",\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"agent.type\",\"negate\":false,\"params\":{\"query\":\"endpoint\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"agent.type\":\"endpoint\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}" + }, + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Controls\"},\"gridData\":{\"h\":7,\"i\":\"c923502a-9a0e-47bb-8d1b-e642b399c8e3\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"c923502a-9a0e-47bb-8d1b-e642b399c8e3\",\"panelRefName\":\"panel_0\",\"title\":\"Controls\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"hiddenLayers\":[],\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":37.4065,\"lon\":-94.14774,\"zoom\":0.74},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"728b8d81-2f01-4e52-8b9a-94a5c9b62f0f\",\"w\":48,\"x\":0,\"y\":7},\"panelIndex\":\"728b8d81-2f01-4e52-8b9a-94a5c9b62f0f\",\"panelRefName\":\"panel_1\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":10,\"i\":\"2b6b6a19-3870-4127-bccf-c81c51e10544\",\"w\":48,\"x\":0,\"y\":22},\"panelIndex\":\"2b6b6a19-3870-4127-bccf-c81c51e10544\",\"panelRefName\":\"panel_2\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Endpoint Count by Operating System\"},\"gridData\":{\"h\":15,\"i\":\"996c9423-7803-49e0-92d8-4ccfde71b425\",\"w\":25,\"x\":0,\"y\":32},\"panelIndex\":\"996c9423-7803-49e0-92d8-4ccfde71b425\",\"panelRefName\":\"panel_3\",\"title\":\"Endpoint Count by Operating System\",\"version\":\"7.6.1\"},{\"embeddableConfig\":{\"title\":\"Event Count by Category\"},\"gridData\":{\"h\":15,\"i\":\"e16e025f-20c4-4075-8342-76820c2ff4c7\",\"w\":23,\"x\":25,\"y\":32},\"panelIndex\":\"e16e025f-20c4-4075-8342-76820c2ff4c7\",\"panelRefName\":\"panel_4\",\"title\":\"Event Count by Category\",\"version\":\"7.6.1\"}]", + "timeRestore": false, + "title": "Endpoint Dashboard", + "version": 1 + }, + "id": "826759f0-7074-11ea-9bc8-6b38f4d29a16", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "events-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "1cfceda0-728b-11ea-9bc8-6b38f4d29a16", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "a3a3bd10-706b-11ea-9bc8-6b38f4d29a16", + "name": "panel_1", + "type": "map" + }, + { + "id": "55387750-729c-11ea-9bc8-6b38f4d29a16", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "92b1edc0-706a-11ea-9bc8-6b38f4d29a16", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "1e525190-7074-11ea-9bc8-6b38f4d29a16", + "name": "panel_4", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-04-01T16:40:15.811Z", + "version": "WzI1MywxXQ==" +} \ No newline at end of file diff --git a/packages/endpoint/0.5.0/kibana/map/a3a3bd10-706b-11ea-9bc8-6b38f4d29a16.json b/packages/endpoint/0.5.0/kibana/map/a3a3bd10-706b-11ea-9bc8-6b38f4d29a16.json new file mode 100644 index 0000000000..7e0d269174 --- /dev/null +++ b/packages/endpoint/0.5.0/kibana/map/a3a3bd10-706b-11ea-9bc8-6b38f4d29a16.json @@ -0,0 +1,50 @@ +{ + "attributes": { + "bounds": { + "coordinates": [ + [ + [ + -180, + 79.49858 + ], + [ + -180, + -84.59877 + ], + [ + 180, + -84.59877 + ], + [ + 180, + 79.49858 + ], + [ + -180, + 79.49858 + ] + ] + ], + "type": "Polygon" + }, + "description": "", + "layerListJSON": "[{\"alpha\":1,\"id\":\"526f1956-b031-487b-887f-15901691696a\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"da92df53-51bf-446f-8f88-21933fea8fe3\",\"label\":\"Endpoints\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"geoField\":\"host.geo.location\",\"id\":\"872f1625-c279-44a8-b4d3-f698b0a5e907\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"metrics\":[{\"field\":\"agent.id\",\"label\":\"Number of Endpoints\",\"type\":\"cardinality\"}],\"requestType\":\"point\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#54B399\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"field\":{\"label\":\"Number of Endpoints\",\"name\":\"cardinality_of_agent.id\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"maxSize\":35,\"minSize\":10},\"type\":\"DYNAMIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"field\":{\"label\":\"Number of Endpoints\",\"name\":\"cardinality_of_agent.id\",\"origin\":\"source\"}},\"type\":\"DYNAMIC\"},\"lineColor\":{\"options\":{\"color\":\"#FFF\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":0},\"type\":\"STATIC\"},\"symbol\":{\"options\":{\"symbolId\":\"airfield\",\"symbolizeAs\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true}]", + "mapStateJSON": "{\"center\":{\"lat\":-18.76202,\"lon\":-72.02031},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":false},\"timeFilters\":{\"from\":\"now-15d\",\"to\":\"now\"},\"zoom\":0.71}", + "title": "[Endpoint] Endpoint Map", + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + }, + "id": "a3a3bd10-706b-11ea-9bc8-6b38f4d29a16", + "migrationVersion": { + "map": "7.6.0" + }, + "references": [ + { + "id": "events-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "map", + "updated_at": "2020-04-01T16:27:16.377Z", + "version": "WzIzNywxXQ==" +} \ No newline at end of file diff --git a/packages/endpoint/0.5.0/kibana/visualization/1cfceda0-728b-11ea-9bc8-6b38f4d29a16.json b/packages/endpoint/0.5.0/kibana/visualization/1cfceda0-728b-11ea-9bc8-6b38f4d29a16.json new file mode 100644 index 0000000000..d312bb62d8 --- /dev/null +++ b/packages/endpoint/0.5.0/kibana/visualization/1cfceda0-728b-11ea-9bc8-6b38f4d29a16.json @@ -0,0 +1,31 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{}" + }, + "title": "[Endpoint] Controls", + "uiStateJSON": "{}", + "version": 1, + "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"host.os.name\",\"id\":\"1585575202047\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Operating Systems\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"event.category\",\"id\":\"1585575244711\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Event Categories\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":true},\"title\":\"[Endpoint] Controls\",\"type\":\"input_control_vis\"}" + }, + "id": "1cfceda0-728b-11ea-9bc8-6b38f4d29a16", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "events-*", + "name": "control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "events-*", + "name": "control_1_index_pattern", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-04-01T16:08:32.353Z", + "version": "WzIyOCwxXQ==" +} \ No newline at end of file diff --git a/packages/endpoint/0.5.0/kibana/visualization/1e525190-7074-11ea-9bc8-6b38f4d29a16.json b/packages/endpoint/0.5.0/kibana/visualization/1e525190-7074-11ea-9bc8-6b38f4d29a16.json new file mode 100644 index 0000000000..c80dd6c296 --- /dev/null +++ b/packages/endpoint/0.5.0/kibana/visualization/1e525190-7074-11ea-9bc8-6b38f4d29a16.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + }, + "title": "[Endpoint] Event Count by Category", + "uiStateJSON": "{\"vis\":{\"colors\":{\"Event Count\":\"#614D93\"},\"legendOpen\":false}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Category\",\"field\":\"event.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"x\":{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"https://d13d17ee538641ceabf7512875888951.us-east-1.aws.found.io:9243\",\"pathname\":\"/app/kibana\"}}},\"label\":\"Event Category\",\"params\":{}},\"y\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Event Count\",\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Event Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Event Count\"},\"type\":\"value\"}]},\"title\":\"[Endpoint] Event Count by Category\",\"type\":\"horizontal_bar\"}" + }, + "id": "1e525190-7074-11ea-9bc8-6b38f4d29a16", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "events-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-04-01T16:09:31.699Z", + "version": "WzIzMSwxXQ==" +} \ No newline at end of file diff --git a/packages/endpoint/0.5.0/kibana/visualization/55387750-729c-11ea-9bc8-6b38f4d29a16.json b/packages/endpoint/0.5.0/kibana/visualization/55387750-729c-11ea-9bc8-6b38f4d29a16.json new file mode 100644 index 0000000000..be240fc426 --- /dev/null +++ b/packages/endpoint/0.5.0/kibana/visualization/55387750-729c-11ea-9bc8-6b38f4d29a16.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + }, + "title": "[Endpoint] Event Count by Hostname Table", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\",\"field\":\"event.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Operating System\",\"field\":\"host.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"https://d13d17ee538641ceabf7512875888951.us-east-1.aws.found.io:9243\",\"pathname\":\"/app/kibana\"}}},\"label\":\"Hostname\",\"params\":{}},{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"https://d13d17ee538641ceabf7512875888951.us-east-1.aws.found.io:9243\",\"pathname\":\"/app/kibana\"}}},\"label\":\"Operating System\",\"params\":{}},{\"accessor\":2,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"ip\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"https://d13d17ee538641ceabf7512875888951.us-east-1.aws.found.io:9243\",\"pathname\":\"/app/kibana\"}}},\"label\":\"IP Address\",\"params\":{}}],\"metrics\":[{\"accessor\":3,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Event Count\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"[Endpoint] Event Count by Hostname Table\",\"type\":\"table\"}" + }, + "id": "55387750-729c-11ea-9bc8-6b38f4d29a16", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "events-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-04-01T16:08:56.259Z", + "version": "WzIyOSwxXQ==" +} \ No newline at end of file diff --git a/packages/endpoint/0.5.0/kibana/visualization/92b1edc0-706a-11ea-9bc8-6b38f4d29a16.json b/packages/endpoint/0.5.0/kibana/visualization/92b1edc0-706a-11ea-9bc8-6b38f4d29a16.json new file mode 100644 index 0000000000..ad92844d7b --- /dev/null +++ b/packages/endpoint/0.5.0/kibana/visualization/92b1edc0-706a-11ea-9bc8-6b38f4d29a16.json @@ -0,0 +1,26 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + }, + "title": "[Endpoint] Endpoint Count by Operating System", + "uiStateJSON": "{\"vis\":{\"colors\":{\"Endpoint Count\":\"#7EB26D\"},\"legendOpen\":false}}", + "version": 1, + "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Endpoint Count\",\"field\":\"agent.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Operating System\",\"field\":\"host.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"x\":{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"https://d13d17ee538641ceabf7512875888951.us-east-1.aws.found.io:9243\",\"pathname\":\"/app/kibana\"}}},\"label\":\"Operating System\",\"params\":{}},\"y\":[{\"accessor\":1,\"aggType\":\"cardinality\",\"format\":{\"id\":\"number\"},\"label\":\"Endpoint Count\",\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Endpoint Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Endpoint Count\"},\"type\":\"value\"}]},\"title\":\"[Endpoint] Endpoint Count by Operating System\",\"type\":\"histogram\"}" + }, + "id": "92b1edc0-706a-11ea-9bc8-6b38f4d29a16", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "events-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-04-01T16:09:15.736Z", + "version": "WzIzMCwxXQ==" +} \ No newline at end of file diff --git a/packages/endpoint/0.5.0/manifest.yml b/packages/endpoint/0.5.0/manifest.yml new file mode 100644 index 0000000000..a9c9733641 --- /dev/null +++ b/packages/endpoint/0.5.0/manifest.yml @@ -0,0 +1,33 @@ +format_version: 1.0.0 +name: endpoint +title: Elastic Endpoint +description: This is the Elastic Endpoint package. +version: 0.5.0 +categories: ["security"] +# Options are experimental, beta, ga +release: beta +# The package type. The options for now are [integration, solution], more type might be added in the future. +# The default type is integration and will be set if empty. +type: solution +license: basic +# The endpoint package cannot be removed +removable: false + +datasources: + - name: endpoint + title: Endpoint data source + description: Interact with the endpoint. + + # This tells the UI that for configuration, it must link to a specific solution + # Only solution packages can contain this field. + solution: endpoint + multiple: false + +requirement: + kibana: + versions: ">=7.9.0" + +icons: + - src: "/img/logo-endpoint-64-color.svg" + size: "16x16" + type: "image/svg+xml"