wazuh/wazuh-indexer-plugins
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-indexer-plugins.git synced 2025-12-11 01:07:02 -06:00
Code Issues Packages Projects Releases Wiki Activity
wazuh-indexer-plugins/ecs/stateless/cloud-services/gcp/docs/fields.csv
Fede Galland 3e58e4188a
Remove ECS fields from gcp's custom fields definition (#675) 
* Remove clour.instance.name, service.type and dns.answers from gcp's custom fields definition

* Update the Wazuh Common Schema

* Update CHANGELOG.md

* Update push_schema.sh to commit everything under the docs/ folder

* Update the Wazuh Common Schema

---------

Co-authored-by: Wazuh Indexer Bot <github_devel_xdrsiem_indexer@wazuh.com>
Co-authored-by: Alex Ruiz <alejandro.ruiz.becerra@wazuh.com>
2025-12-01 16:46:38 +01:00

257 KiB
Raw Blame History

1ECS_VersionIndexedField_SetFieldTypeLevelNormalizationExampleDescription
29.1.0truebase@timestampdatecore2016-05-23T08:05:34.853ZDate/time when the event originated.
39.1.0truebasecompliancenestedcustomArray of compliance objects to support multiple frameworks per event.
49.1.0truebasemessagekeywordcoreHello WorldLog message optimized for viewing in a log viewer.
59.1.0trueagentagent.build.originalkeywordcoremetricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]Extended build information for the agent.
69.1.0trueagentagent.ephemeral_idkeywordextended8a4f500fEphemeral identifier of this agent.
79.1.0trueagentagent.groupskeywordcustomarray["group1", "group2"]List of groups the agent belongs to.
89.1.0trueagentagent.host.architecturekeywordcorex86_64Operating system architecture.
99.1.0trueagentagent.host.boot.idkeywordextended88a1f0ed-5ae5-41ee-af6b-41921c311872Linux boot uuid taken from /proc/sys/kernel/random/boot_id
109.1.0trueagentagent.host.cpuobjectcustom"name": "Intel(R) Core(TM) i7-7700HQ CPU", "cores": 4, "speed": 2800CPU-related data.
119.1.0trueagentagent.host.cpu.coreslongcustom4Number of CPU cores.
129.1.0trueagentagent.host.cpu.namekeywordcustomIntel(R) Core(TM) i7-7700HQ CPUCPU Model name.
139.1.0trueagentagent.host.cpu.speedlongcustom2800CPU clock speed.
149.1.0trueagentagent.host.cpu.usagescaled_floatextendedPercent CPU used, between 0 and 1.
159.1.0trueagentagent.host.disk.read.byteslongextendedThe number of bytes read by all disks.
169.1.0trueagentagent.host.disk.write.byteslongextendedThe number of bytes written on all disks.
179.1.0trueagentagent.host.domainkeywordextendedCONTOSOName of the directory the group is a member of.
189.1.0trueagentagent.host.geo.city_namekeywordcoreMontrealCity name.
199.1.0trueagentagent.host.geo.continent_codekeywordcoreNAContinent code.
209.1.0trueagentagent.host.geo.continent_namekeywordcoreNorth AmericaName of the continent.
219.1.0trueagentagent.host.geo.country_iso_codekeywordcoreCACountry ISO code.
229.1.0trueagentagent.host.geo.country_namekeywordcoreCanadaCountry name.
239.1.0trueagentagent.host.geo.locationgeo_pointcore{ "lon": -73.614830, "lat": 45.505918 }Longitude and latitude.
249.1.0trueagentagent.host.geo.namekeywordextendedboston-dcUser-defined description of a location.
259.1.0trueagentagent.host.geo.postal_codekeywordcore94040Postal code.
269.1.0trueagentagent.host.geo.region_iso_codekeywordcoreCA-QCRegion ISO code.
279.1.0trueagentagent.host.geo.region_namekeywordcoreQuebecRegion name.
289.1.0trueagentagent.host.geo.timezonekeywordcoreAmerica/Argentina/Buenos_AiresTime zone.
299.1.0trueagentagent.host.hostnamekeywordcoreHostname of the host.
309.1.0trueagentagent.host.idkeywordcoreUnique host id.
319.1.0trueagentagent.host.ipipcorearrayHost ip addresses.
329.1.0trueagentagent.host.mackeywordcorearray["00-00-5E-00-53-23", "00-00-5E-00-53-24"]Host MAC addresses.
339.1.0trueagentagent.host.memoryobjectcustom"total": 100000, "free": 90000, "used": {"percentage": 10}Memory-related data.
349.1.0trueagentagent.host.memory.freelongcustom1024Free memory in MB.
359.1.0trueagentagent.host.memory.totallongcustom1024Total memory in MB.
369.1.0trueagentagent.host.memory.usedobjectcustom"percentage": 10Used memory-related data.
379.1.0trueagentagent.host.memory.used.percentagelongcustom10Used memory percentage.
389.1.0trueagentagent.host.namekeywordcoreName of the host.
399.1.0trueagentagent.host.network.egress.byteslongextendedThe number of bytes sent on all network interfaces.
409.1.0trueagentagent.host.network.egress.dropslongcustom10Number of dropped transmitted packets.
419.1.0trueagentagent.host.network.egress.errorslongcustom10Number of transmission errors.
429.1.0trueagentagent.host.network.egress.packetslongextendedThe number of packets sent on all network interfaces.
439.1.0trueagentagent.host.network.egress.queuelongcustom10Transmit queue length.
449.1.0trueagentagent.host.network.ingress.byteslongextendedThe number of bytes received on all network interfaces.
459.1.0trueagentagent.host.network.ingress.dropslongcustom10Number of dropped received packets.
469.1.0trueagentagent.host.network.ingress.errorslongcustom10Number of reception errors.
479.1.0trueagentagent.host.network.ingress.packetslongextendedThe number of packets received on all network interfaces.
489.1.0trueagentagent.host.network.ingress.queuelongcustom10Receive queue length.
499.1.0trueagentagent.host.os.familykeywordextendeddebianOS family (such as redhat, debian, freebsd, windows).
509.1.0trueagentagent.host.os.fullkeywordextendedMac OS MojaveOperating system name, including the version or code name.
519.1.0trueagentagent.host.os.kernelkeywordextended4.4.0-112-genericOperating system kernel version as a raw string.
529.1.0trueagentagent.host.os.namekeywordextendedMac OS XOperating system name, without the version.
539.1.0trueagentagent.host.os.platformkeywordextendeddarwinOperating system platform (such centos, ubuntu, windows).
549.1.0trueagentagent.host.os.typekeywordextendedmacosWhich commercial OS family (one of: linux, macos, unix, windows, ios or android).
559.1.0trueagentagent.host.os.versionkeywordextended10.14.1Operating system version as a raw string.
569.1.0trueagentagent.host.pid_ns_inokeywordextended256383Pid namespace inode
579.1.0trueagentagent.host.risk.calculated_levelkeywordextendedHighA risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
589.1.0trueagentagent.host.risk.calculated_scorefloatextended880.73A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
599.1.0trueagentagent.host.risk.calculated_score_normfloatextended88.73A normalized risk score calculated by an internal system.
609.1.0trueagentagent.host.risk.static_levelkeywordextendedHighA risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.
619.1.0trueagentagent.host.risk.static_scorefloatextended830.0A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.
629.1.0trueagentagent.host.risk.static_score_normfloatextended83.0A normalized risk score calculated by an external system.
639.1.0trueagentagent.host.typekeywordcoreType of host.
649.1.0trueagentagent.host.uptimelongextended1325Seconds the host has been up.
659.1.0trueagentagent.idkeywordcore8a4f500dUnique identifier of this agent.
669.1.0trueagentagent.namekeywordcorefooCustom name of the agent.
679.1.0trueagentagent.typekeywordcorefilebeatType of the agent.
689.1.0trueagentagent.versionkeywordcore6.0.0-rc2Version of the agent.
699.1.0truecheckcheck.compliancekeywordcustomarray["cis:1.1.1","cis_csc:5.2"]CIS compliance standard.
709.1.0truecheckcheck.conditionkeywordcustomallRelationship between the rules.
719.1.0truecheckcheck.descriptionkeywordcustom"The password history setting determines the number of unique new passwords a user must use before an old password can be reused."Extended description of the check.
729.1.0truecheckcheck.idkeywordcustom26000The ID of the SCA policy check.
739.1.0truecheckcheck.namekeywordcustomEnsure 'Enforce password history' is set to '24 or more password(s)'.The name of the SCA policy check.
749.1.0truecheckcheck.rationalekeywordcustom"The longer a user uses the same password, the more likely it is that the password will be compromised."The reason for the check. Why it is important.
759.1.0truecheckcheck.reasonkeywordcustom"The password history setting is not set to 24 or more password(s)."Reason for the check result.
769.1.0truecheckcheck.referenceskeywordcustomarray["https://workbench.cisecurity.org"]References for the check.
779.1.0truecheckcheck.remediationkeywordcustom"To establish the recommended configuration, set the following registry value to 24 or more password(s):"Actions to take to remediate the check.
789.1.0truecheckcheck.resultkeywordcustomfailedResult of the check.
799.1.0truecheckcheck.ruleskeywordcustomarray"[\"c:net.exe accounts -> n:Maximum password age \(days\):\s+(\d+) compare > 0\"," > "\"c:net.exe accounts -> n:Length of password history maintained:\s+(\d+) compare >= 24\"]"Rules to be evaluated.
809.1.0trueclientclient.addresskeywordextendedClient network address.
819.1.0trueclientclient.as.numberlongextended15169Unique number allocated to the autonomous system.
829.1.0trueclientclient.as.organization.namekeywordextendedGoogle LLCOrganization name.
839.1.0trueclientclient.byteslongcore184Bytes sent from the client to the server.
849.1.0trueclientclient.domainkeywordcorefoo.example.comThe domain name of the client.
859.1.0trueclientclient.geo.city_namekeywordcoreMontrealCity name.
869.1.0trueclientclient.geo.continent_codekeywordcoreNAContinent code.
879.1.0trueclientclient.geo.continent_namekeywordcoreNorth AmericaName of the continent.
889.1.0trueclientclient.geo.country_iso_codekeywordcoreCACountry ISO code.
899.1.0trueclientclient.geo.country_namekeywordcoreCanadaCountry name.
909.1.0trueclientclient.geo.locationgeo_pointcore{ "lon": -73.614830, "lat": 45.505918 }Longitude and latitude.
919.1.0trueclientclient.geo.namekeywordextendedboston-dcUser-defined description of a location.
929.1.0trueclientclient.geo.postal_codekeywordcore94040Postal code.
939.1.0trueclientclient.geo.region_iso_codekeywordcoreCA-QCRegion ISO code.
949.1.0trueclientclient.geo.region_namekeywordcoreQuebecRegion name.
959.1.0trueclientclient.geo.timezonekeywordcoreAmerica/Argentina/Buenos_AiresTime zone.
969.1.0trueclientclient.ipipcoreIP address of the client.
979.1.0trueclientclient.mackeywordcore00-00-5E-00-53-23MAC address of the client.
989.1.0trueclientclient.nat.ipipextendedClient NAT ip address
999.1.0trueclientclient.nat.portlongextendedClient NAT port
1009.1.0trueclientclient.packetslongcore12Packets sent from the client to the server.
1019.1.0trueclientclient.portlongcorePort of the client.
1029.1.0trueclientclient.registered_domainkeywordextendedexample.comThe highest registered client domain, stripped of the subdomain.
1039.1.0trueclientclient.subdomainkeywordextendedeastThe subdomain of the domain.
1049.1.0trueclientclient.top_level_domainkeywordextendedco.ukThe effective top level domain (com, org, net, co.uk).
1059.1.0trueclientclient.user.domainkeywordextendedName of the directory the user is a member of.
1069.1.0trueclientclient.user.emailkeywordextendedUser email address.
1079.1.0trueclientclient.user.full_namekeywordextendedAlbert EinsteinUser's full name, if available.
1089.1.0trueclientclient.user.group.domainkeywordextendedName of the directory the group is a member of.
1099.1.0trueclientclient.user.group.idkeywordextendedUnique identifier for the group on the system/platform.
1109.1.0trueclientclient.user.group.namekeywordextendedName of the group.
1119.1.0trueclientclient.user.hashkeywordextendedUnique user hash to correlate information for a user in anonymized form.
1129.1.0trueclientclient.user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
1139.1.0trueclientclient.user.namekeywordcorea.einsteinShort name or login of the user.
1149.1.0trueclientclient.user.roleskeywordextendedarray["kibana_admin", "reporting_user"]Array of user roles at the time of the event.
1159.1.0truecloudcloud.account.idkeywordextended666777888999The cloud account or organization id.
1169.1.0truecloudcloud.account.namekeywordextendedelastic-devThe cloud account name.
1179.1.0truecloudcloud.availability_zonekeywordextendedus-east-1cAvailability zone in which this host, resource, or service is located.
1189.1.0truecloudcloud.instance.idkeywordextendedi-1234567890abcdef0Instance ID of the host machine.
1199.1.0truecloudcloud.instance.namekeywordextendedInstance name of the host machine.
1209.1.0truecloudcloud.machine.typekeywordextendedt2.mediumMachine type of the host machine.
1219.1.0truecloudcloud.origin.account.idkeywordextended666777888999The cloud account or organization id.
1229.1.0truecloudcloud.origin.account.namekeywordextendedelastic-devThe cloud account name.
1239.1.0truecloudcloud.origin.availability_zonekeywordextendedus-east-1cAvailability zone in which this host, resource, or service is located.
1249.1.0truecloudcloud.origin.instance.idkeywordextendedi-1234567890abcdef0Instance ID of the host machine.
1259.1.0truecloudcloud.origin.instance.namekeywordextendedInstance name of the host machine.
1269.1.0truecloudcloud.origin.machine.typekeywordextendedt2.mediumMachine type of the host machine.
1279.1.0truecloudcloud.origin.project.idkeywordextendedmy-projectThe cloud project id.
1289.1.0truecloudcloud.origin.project.namekeywordextendedmy projectThe cloud project name.
1299.1.0truecloudcloud.origin.providerkeywordextendedawsName of the cloud provider.
1309.1.0truecloudcloud.origin.regionkeywordextendedus-east-1Region in which this host, resource, or service is located.
1319.1.0truecloudcloud.origin.service.namekeywordextendedlambdaThe cloud service name.
1329.1.0truecloudcloud.project.idkeywordextendedmy-projectThe cloud project id.
1339.1.0truecloudcloud.project.namekeywordextendedmy projectThe cloud project name.
1349.1.0truecloudcloud.providerkeywordextendedawsName of the cloud provider.
1359.1.0truecloudcloud.regionkeywordextendedus-east-1Region in which this host, resource, or service is located.
1369.1.0truecloudcloud.service.namekeywordextendedlambdaThe cloud service name.
1379.1.0truecloudcloud.target.account.idkeywordextended666777888999The cloud account or organization id.
1389.1.0truecloudcloud.target.account.namekeywordextendedelastic-devThe cloud account name.
1399.1.0truecloudcloud.target.availability_zonekeywordextendedus-east-1cAvailability zone in which this host, resource, or service is located.
1409.1.0truecloudcloud.target.instance.idkeywordextendedi-1234567890abcdef0Instance ID of the host machine.
1419.1.0truecloudcloud.target.instance.namekeywordextendedInstance name of the host machine.
1429.1.0truecloudcloud.target.machine.typekeywordextendedt2.mediumMachine type of the host machine.
1439.1.0truecloudcloud.target.project.idkeywordextendedmy-projectThe cloud project id.
1449.1.0truecloudcloud.target.project.namekeywordextendedmy projectThe cloud project name.
1459.1.0truecloudcloud.target.providerkeywordextendedawsName of the cloud provider.
1469.1.0truecloudcloud.target.regionkeywordextendedus-east-1Region in which this host, resource, or service is located.
1479.1.0truecloudcloud.target.service.namekeywordextendedlambdaThe cloud service name.
1489.1.0truecompliancecompliance.categorykeywordcustompayment-securityFramework category (payment-security, data-protection, etc.).
1499.1.0truecompliancecompliance.namekeywordcustomPCI DSSFramework name (PCI DSS, GDPR, NIST 800-53, etc.).
1509.1.0truecompliancecompliance.publisherkeywordcustomPCI Security Standards CouncilOrganization that published the framework.
1519.1.0truecompliancecompliance.requirement.descriptionmatch_only_textcustomThe organization must rotate encryption keys every 90 days.Full requirement description.
1529.1.0truecompliancecompliance.requirement.idkeywordcustom11.5Requirement identifier (11.5, Article 32, AC-3, etc.).
1539.1.0truecompliancecompliance.requirement.titlematch_only_textcustomRotate cryptographic keysHuman-readable requirement title.
1549.1.0truecompliancecompliance.versionkeywordcustom3.2Framework version (4.0, 2018, 5.1, etc.).
1559.1.0truecontainercontainer.cpu.usagescaled_floatextendedPercent CPU used, between 0 and 1.
1569.1.0truecontainercontainer.disk.read.byteslongextendedThe number of bytes read by all disks.
1579.1.0truecontainercontainer.disk.write.byteslongextendedThe number of bytes written on all disks.
1589.1.0truecontainercontainer.idkeywordcoreUnique container id.
1599.1.0truecontainercontainer.image.hash.allkeywordextendedarray[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26]An array of digests of the image the container was built on.
1609.1.0truecontainercontainer.image.namekeywordextendedName of the image the container was built on.
1619.1.0truecontainercontainer.image.tagkeywordextendedarrayContainer image tags.
1629.1.0truecontainercontainer.labelsobjectextendedImage labels.
1639.1.0truecontainercontainer.memory.usagescaled_floatextendedPercent memory used, between 0 and 1.
1649.1.0truecontainercontainer.namekeywordextendedContainer name.
1659.1.0truecontainercontainer.network.egress.byteslongextendedThe number of bytes sent on all network interfaces.
1669.1.0truecontainercontainer.network.ingress.byteslongextendedThe number of bytes received on all network interfaces.
1679.1.0truecontainercontainer.runtimekeywordextendeddockerRuntime managing this container.
1689.1.0truecontainercontainer.security_context.privilegedbooleanextendedIndicates whether the container is running in privileged mode.
1699.1.0truedata_streamdata_stream.datasetkeywordextendednginx.accessThe field can contain anything that makes sense to signify the source of the data.
1709.1.0truedata_streamdata_stream.namespacekeywordextendedproductionA user defined namespace. Namespaces are useful to allow grouping of data.
1719.1.0truedata_streamdata_stream.typekeywordextendedlogsAn overarching type for the data stream.
1729.1.0truedestinationdestination.addresskeywordextendedDestination network address.
1739.1.0truedestinationdestination.as.numberlongextended15169Unique number allocated to the autonomous system.
1749.1.0truedestinationdestination.as.organization.namekeywordextendedGoogle LLCOrganization name.
1759.1.0truedestinationdestination.byteslongcore184Bytes sent from the destination to the source.
1769.1.0truedestinationdestination.domainkeywordcorefoo.example.comThe domain name of the destination.
1779.1.0truedestinationdestination.geo.city_namekeywordcoreMontrealCity name.
1789.1.0truedestinationdestination.geo.continent_codekeywordcoreNAContinent code.
1799.1.0truedestinationdestination.geo.continent_namekeywordcoreNorth AmericaName of the continent.
1809.1.0truedestinationdestination.geo.country_iso_codekeywordcoreCACountry ISO code.
1819.1.0truedestinationdestination.geo.country_namekeywordcoreCanadaCountry name.
1829.1.0truedestinationdestination.geo.locationgeo_pointcore{ "lon": -73.614830, "lat": 45.505918 }Longitude and latitude.
1839.1.0truedestinationdestination.geo.namekeywordextendedboston-dcUser-defined description of a location.
1849.1.0truedestinationdestination.geo.postal_codekeywordcore94040Postal code.
1859.1.0truedestinationdestination.geo.region_iso_codekeywordcoreCA-QCRegion ISO code.
1869.1.0truedestinationdestination.geo.region_namekeywordcoreQuebecRegion name.
1879.1.0truedestinationdestination.geo.timezonekeywordcoreAmerica/Argentina/Buenos_AiresTime zone.
1889.1.0truedestinationdestination.ipipcoreIP address of the destination.
1899.1.0truedestinationdestination.mackeywordcore00-00-5E-00-53-23MAC address of the destination.
1909.1.0truedestinationdestination.nat.ipipextendedDestination NAT ip
1919.1.0truedestinationdestination.nat.portlongextendedDestination NAT Port
1929.1.0truedestinationdestination.packetslongcore12Packets sent from the destination to the source.
1939.1.0truedestinationdestination.portlongcorePort of the destination.
1949.1.0truedestinationdestination.registered_domainkeywordextendedexample.comThe highest registered destination domain, stripped of the subdomain.
1959.1.0truedestinationdestination.subdomainkeywordextendedeastThe subdomain of the domain.
1969.1.0truedestinationdestination.top_level_domainkeywordextendedco.ukThe effective top level domain (com, org, net, co.uk).
1979.1.0truedestinationdestination.user.domainkeywordextendedName of the directory the user is a member of.
1989.1.0truedestinationdestination.user.emailkeywordextendedUser email address.
1999.1.0truedestinationdestination.user.full_namekeywordextendedAlbert EinsteinUser's full name, if available.
2009.1.0truedestinationdestination.user.group.domainkeywordextendedName of the directory the group is a member of.
2019.1.0truedestinationdestination.user.group.idkeywordextendedUnique identifier for the group on the system/platform.
2029.1.0truedestinationdestination.user.group.namekeywordextendedName of the group.
2039.1.0truedestinationdestination.user.hashkeywordextendedUnique user hash to correlate information for a user in anonymized form.
2049.1.0truedestinationdestination.user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
2059.1.0truedestinationdestination.user.namekeywordcorea.einsteinShort name or login of the user.
2069.1.0truedestinationdestination.user.roleskeywordextendedarray["kibana_admin", "reporting_user"]Array of user roles at the time of the event.
2079.1.0truedevicedevice.idkeywordextended00000000-54b3-e7c7-0000-000046bffd97The unique identifier of a device.
2089.1.0truedevicedevice.manufacturerkeywordextendedSamsungThe vendor name of the device manufacturer.
2099.1.0truedevicedevice.model.identifierkeywordextendedSM-G920FThe machine readable identifier of the device model.
2109.1.0truedevicedevice.model.namekeywordextendedSamsung Galaxy S6The human readable marketing name of the device model.
2119.1.0truedevicedevice.serial_numberkeywordcoreDJGAQS4CW5Serial Number of the device
2129.1.0truedlldll.code_signature.digest_algorithmkeywordextendedsha256Hashing algorithm used to sign the process.
2139.1.0truedlldll.code_signature.existsbooleancoretrueBoolean to capture if a signature is present.
2149.1.0truedlldll.code_signature.flagskeywordextended570522385Code signing flags of the process
2159.1.0truedlldll.code_signature.signing_idkeywordextendedcom.apple.xpc.proxyThe identifier used to sign the process.
2169.1.0truedlldll.code_signature.statuskeywordextendedERROR_UNTRUSTED_ROOTAdditional information about the certificate status.
2179.1.0truedlldll.code_signature.subject_namekeywordcoreMicrosoft CorporationSubject name of the code signer
2189.1.0truedlldll.code_signature.team_idkeywordextendedEQHXZ8M8AVThe team identifier used to sign the process.
2199.1.0truedlldll.code_signature.thumbprint_sha256keywordextendedc0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476bSHA256 hash of the certificate.
2209.1.0truedlldll.code_signature.timestampdateextended2021-01-01T12:10:30ZWhen the signature was generated and signed.
2219.1.0truedlldll.code_signature.trustedbooleanextendedtrueStores the trust status of the certificate chain.
2229.1.0truedlldll.code_signature.validbooleanextendedtrueBoolean to capture if the digital signature is verified against the binary content.
2239.1.0truedlldll.hash.cdhashkeywordextended3783b4052fd474dbe30676b45c329e7a6d44acd9The Code Directory (CD) hash of an executable.
2249.1.0truedlldll.hash.md5keywordextendedMD5 hash.
2259.1.0truedlldll.hash.sha1keywordextendedSHA1 hash.
2269.1.0truedlldll.hash.sha256keywordextendedSHA256 hash.
2279.1.0truedlldll.hash.sha384keywordextendedSHA384 hash.
2289.1.0truedlldll.hash.sha512keywordextendedSHA512 hash.
2299.1.0truedlldll.hash.ssdeepkeywordextendedSSDEEP hash.
2309.1.0truedlldll.hash.tlshkeywordextendedTLSH hash.
2319.1.0truedlldll.namekeywordcorekernel32.dllName of the library.
2329.1.0truedlldll.origin_referrer_urlkeywordextendedhttp://example.com/article1.htmlThe URL of the webpage that linked to the dll file.
2339.1.0truedlldll.origin_urlkeywordextendedhttp://example.com/files/example.dllThe URL where the dll file is hosted.
2349.1.0truedlldll.pathkeywordextendedC:\Windows\System32\kernel32.dllFull file path of the library.
2359.1.0truedlldll.pe.architecturekeywordextendedx64CPU architecture target for the file.
2369.1.0truedlldll.pe.companykeywordextendedMicrosoft CorporationInternal company name of the file, provided at compile-time.
2379.1.0truedlldll.pe.descriptionkeywordextendedPaintInternal description of the file, provided at compile-time.
2389.1.0truedlldll.pe.file_versionkeywordextended6.3.9600.17415Process name.
2399.1.0truedlldll.pe.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in a PE file.
2409.1.0truedlldll.pe.go_importsflat_objectextendedList of imported Go language element names and types.
2419.1.0truedlldll.pe.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
2429.1.0truedlldll.pe.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
2439.1.0truedlldll.pe.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
2449.1.0truedlldll.pe.imphashkeywordextended0c6803c4e922103c4dca5963aad36ddfA hash of the imports in a PE file.
2459.1.0truedlldll.pe.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in a PE file.
2469.1.0truedlldll.pe.importsflat_objectextendedarrayList of imported element names and types.
2479.1.0truedlldll.pe.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
2489.1.0truedlldll.pe.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
2499.1.0truedlldll.pe.original_file_namekeywordextendedMSPAINT.EXEInternal name of the file, provided at compile-time.
2509.1.0truedlldll.pe.pehashkeywordextended73ff189b63cd6be375a7ff25179a38d347651975A hash of the PE header and data from one or more PE sections.
2519.1.0truedlldll.pe.productkeywordextendedMicrosoft® Windows® Operating SystemInternal product name of the file, provided at compile-time.
2529.1.0truedlldll.pe.sectionsnestedextendedarraySection information of the PE file.
2539.1.0truedlldll.pe.sections.entropylongextendedShannon entropy calculation from the section.
2549.1.0truedlldll.pe.sections.namekeywordextendedPE Section List name.
2559.1.0truedlldll.pe.sections.physical_sizelongextendedPE Section List physical size.
2569.1.0truedlldll.pe.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
2579.1.0truedlldll.pe.sections.virtual_sizelongextendedPE Section List virtual size. This is always the same as `physical_size`.
2589.1.0truednsdns.answersobjectextendedarrayArray of DNS answers.
2599.1.0truednsdns.answers.classkeywordextendedINThe class of DNS data contained in this resource record.
2609.1.0truednsdns.answers.datakeywordextended10.10.10.10The data describing the resource.
2619.1.0truednsdns.answers.namekeywordextendedwww.example.comThe domain name to which this resource record pertains.
2629.1.0truednsdns.answers.ttllongextended180The time interval in seconds that this resource record may be cached before it should be discarded.
2639.1.0truednsdns.answers.typekeywordextendedCNAMEThe type of data contained in this resource record.
2649.1.0truednsdns.header_flagskeywordextendedarray["RD", "RA"]Array of DNS header flags.
2659.1.0truednsdns.idkeywordextended62111The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
2669.1.0truednsdns.op_codekeywordextendedQUERYThe DNS operation code that specifies the kind of query in the message.
2679.1.0truednsdns.question.classkeywordextendedINThe class of records being queried.
2689.1.0truednsdns.question.namekeywordextendedwww.example.comThe name being queried.
2699.1.0truednsdns.question.registered_domainkeywordextendedexample.comThe highest registered domain, stripped of the subdomain.
2709.1.0truednsdns.question.subdomainkeywordextendedwwwThe subdomain of the domain.
2719.1.0truednsdns.question.top_level_domainkeywordextendedco.ukThe effective top level domain (com, org, net, co.uk).
2729.1.0truednsdns.question.typekeywordextendedAAAAThe type of record being queried.
2739.1.0truednsdns.resolved_ipipextendedarray["10.10.10.10", "10.10.10.11"]Array containing all IPs seen in answers.data
2749.1.0truednsdns.response_codekeywordextendedNOERRORThe DNS response code.
2759.1.0truednsdns.typekeywordextendedanswerThe type of DNS event captured, query or answer.
2769.1.0trueemailemail.attachmentsnestedextendedarrayList of objects describing the attachments.
2779.1.0trueemailemail.attachments.file.extensionkeywordextendedtxtAttachment file extension.
2789.1.0trueemailemail.attachments.file.hash.cdhashkeywordextended3783b4052fd474dbe30676b45c329e7a6d44acd9The Code Directory (CD) hash of an executable.
2799.1.0trueemailemail.attachments.file.hash.md5keywordextendedMD5 hash.
2809.1.0trueemailemail.attachments.file.hash.sha1keywordextendedSHA1 hash.
2819.1.0trueemailemail.attachments.file.hash.sha256keywordextendedSHA256 hash.
2829.1.0trueemailemail.attachments.file.hash.sha384keywordextendedSHA384 hash.
2839.1.0trueemailemail.attachments.file.hash.sha512keywordextendedSHA512 hash.
2849.1.0trueemailemail.attachments.file.hash.ssdeepkeywordextendedSSDEEP hash.
2859.1.0trueemailemail.attachments.file.hash.tlshkeywordextendedTLSH hash.
2869.1.0trueemailemail.attachments.file.mime_typekeywordextendedtext/plainMIME type of the attachment file.
2879.1.0trueemailemail.attachments.file.namekeywordextendedattachment.txtName of the attachment file.
2889.1.0trueemailemail.attachments.file.sizelongextended64329Attachment file size.
2899.1.0trueemailemail.bcc.addresskeywordextendedarraybcc.user1@example.comEmail address of BCC recipient
2909.1.0trueemailemail.cc.addresskeywordextendedarraycc.user1@example.comEmail address of CC recipient
2919.1.0trueemailemail.content_typekeywordextendedtext/plainMIME type of the email message.
2929.1.0trueemailemail.delivery_timestampdateextended2020-11-10T22:12:34.8196921ZDate and time when message was delivered.
2939.1.0trueemailemail.directionkeywordextendedinboundDirection of the message.
2949.1.0trueemailemail.from.addresskeywordextendedarraysender@example.comThe sender's email address.
2959.1.0trueemailemail.local_idkeywordextendedc26dbea0-80d5-463b-b93c-4e8b708219ceUnique identifier given by the source.
2969.1.0trueemailemail.message_idkeywordextended81ce15$8r2j59@mail01.example.comValue from the Message-ID header.
2979.1.0trueemailemail.origination_timestampdateextended2020-11-10T22:12:34.8196921ZDate and time the email was composed.
2989.1.0trueemailemail.reply_to.addresskeywordextendedarrayreply.here@example.comAddress replies should be delivered to.
2999.1.0trueemailemail.sender.addresskeywordextendedAddress of the message sender.
3009.1.0trueemailemail.subjectkeywordextendedPlease see this important message.The subject of the email message.
3019.1.0trueemailemail.to.addresskeywordextendedarrayuser1@example.comEmail address of recipient
3029.1.0trueemailemail.x_mailerkeywordextendedSpambot v2.5Application that drafted email.
3039.1.0trueerrorerror.codekeywordcoreError code describing the error.
3049.1.0trueerrorerror.idkeywordcoreUnique identifier for the error.
3059.1.0trueerrorerror.messagekeywordcoreError message.
3069.1.0trueerrorerror.stack_tracekeywordextendedThe stack trace of this error in plain text.
3079.1.0trueerrorerror.typekeywordextendedjava.lang.NullPointerExceptionThe type of the error, for example the class name of the exception.
3089.1.0trueeventevent.actionkeywordcoreuser-password-changeThe action captured by the event.
3099.1.0trueeventevent.agent_id_statuskeywordextendedverifiedValidation status of the event's agent.id field.
3109.1.0trueeventevent.categorykeywordcorearrayauthenticationEvent category. The second categorization field in the hierarchy.
3119.1.0trueeventevent.changed_fieldskeywordcustomarray["foo", "bar"]Fields that were updated since last scan.
3129.1.0trueeventevent.codekeywordextended4648Identification code for this event.
3139.1.0trueeventevent.collectorkeywordcustomfileCollector used to retrieve the event.
3149.1.0trueeventevent.createddatecore2016-05-23T08:05:34.857ZTime when the event was first read by an agent or by your pipeline.
3159.1.0trueeventevent.datasetkeywordcoreapache.accessName of the dataset.
3169.1.0trueeventevent.durationlongcoreDuration of the event in nanoseconds.
3179.1.0trueeventevent.enddateextended`event.end` contains the date when the event ended or when the activity was last observed.
3189.1.0trueeventevent.hashkeywordextended123456789012345678901234567890ABCDHash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
3199.1.0trueeventevent.idkeywordcore8a4f500dUnique ID to describe the event.
3209.1.0trueeventevent.ingesteddatecore2016-05-23T08:05:35.101ZTimestamp when an event arrived in the central data store.
3219.1.0trueeventevent.kindkeywordcorealertThe kind of the event. The highest categorization field in the hierarchy.
3229.1.0trueeventevent.modulekeywordcoreapacheName of the module this data is coming from.
3239.1.0falseeventevent.originalkeywordcoreSep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232Raw text message of entire event.
3249.1.0trueeventevent.outcomekeywordcoresuccessThe outcome of the event. The lowest level categorization field in the hierarchy.
3259.1.0trueeventevent.providerkeywordextendedkernelSource of the event.
3269.1.0trueeventevent.reasonkeywordextendedTerminated an unexpected processReason why this event happened, according to the source
3279.1.0trueeventevent.referencekeywordextendedhttps://system.example.com/event/#0001234Event reference URL
3289.1.0trueeventevent.risk_scorefloatcoreRisk score or priority of the event (e.g. security solutions). Use your system's original value here.
3299.1.0trueeventevent.risk_score_normfloatextendedNormalized risk score or priority of the event (0-100).
3309.1.0trueeventevent.sequencelongextendedSequence number of the event.
3319.1.0trueeventevent.severitylongcore7Numeric severity of the event.
3329.1.0trueeventevent.startdateextended`event.start` contains the date when the event started or when the activity was first observed.
3339.1.0trueeventevent.timezonekeywordextendedEvent time zone.
3349.1.0trueeventevent.typekeywordcorearrayEvent type. The third categorization field in the hierarchy.
3359.1.0trueeventevent.urlkeywordextendedhttps://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38feEvent investigation URL
3369.1.0truefaasfaas.coldstartbooleanextendedBoolean value indicating a cold start of a function.
3379.1.0truefaasfaas.executionkeywordextendedaf9d5aa4-a685-4c5f-a22b-444f80b3cc28The execution ID of the current function execution.
3389.1.0truefaasfaas.idkeywordextendedarn:aws:lambda:us-west-2:123456789012:function:my-functionThe unique identifier of a serverless function.
3399.1.0truefaasfaas.namekeywordextendedmy-functionThe name of a serverless function.
3409.1.0truefaasfaas.trigger.request_idkeywordextended123456789The ID of the trigger request , message, event, etc.
3419.1.0truefaasfaas.trigger.typekeywordextendedhttpThe trigger for the function execution.
3429.1.0truefaasfaas.versionkeywordextended123The version of a serverless function.
3439.1.0truefilefile.accesseddateextendedLast time the file was accessed.
3449.1.0truefilefile.attributeskeywordextendedarray["readonly", "system"]Array of file attributes.
3459.1.0truefilefile.code_signature.digest_algorithmkeywordextendedsha256Hashing algorithm used to sign the process.
3469.1.0truefilefile.code_signature.existsbooleancoretrueBoolean to capture if a signature is present.
3479.1.0truefilefile.code_signature.flagskeywordextended570522385Code signing flags of the process
3489.1.0truefilefile.code_signature.signing_idkeywordextendedcom.apple.xpc.proxyThe identifier used to sign the process.
3499.1.0truefilefile.code_signature.statuskeywordextendedERROR_UNTRUSTED_ROOTAdditional information about the certificate status.
3509.1.0truefilefile.code_signature.subject_namekeywordcoreMicrosoft CorporationSubject name of the code signer
3519.1.0truefilefile.code_signature.team_idkeywordextendedEQHXZ8M8AVThe team identifier used to sign the process.
3529.1.0truefilefile.code_signature.thumbprint_sha256keywordextendedc0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476bSHA256 hash of the certificate.
3539.1.0truefilefile.code_signature.timestampdateextended2021-01-01T12:10:30ZWhen the signature was generated and signed.
3549.1.0truefilefile.code_signature.trustedbooleanextendedtrueStores the trust status of the certificate chain.
3559.1.0truefilefile.code_signature.validbooleanextendedtrueBoolean to capture if the digital signature is verified against the binary content.
3569.1.0truefilefile.createddateextendedFile creation time.
3579.1.0truefilefile.ctimedateextendedLast time the file attributes or metadata changed.
3589.1.0truefilefile.devicekeywordextendedsdaDevice that is the source of the file.
3599.1.0truefilefile.directorykeywordextended/home/aliceDirectory where the file is located.
3609.1.0truefilefile.drive_letterkeywordextendedCDrive letter where the file is located.
3619.1.0truefilefile.elf.architecturekeywordextendedx86-64Machine architecture of the ELF file.
3629.1.0truefilefile.elf.byte_orderkeywordextendedLittle EndianByte sequence of ELF file.
3639.1.0truefilefile.elf.cpu_typekeywordextendedIntelCPU type of the ELF file.
3649.1.0truefilefile.elf.creation_datedateextendedBuild or compile date.
3659.1.0truefilefile.elf.exportsflat_objectextendedarrayList of exported element names and types.
3669.1.0truefilefile.elf.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in an ELF file.
3679.1.0truefilefile.elf.go_importsflat_objectextendedList of imported Go language element names and types.
3689.1.0truefilefile.elf.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
3699.1.0truefilefile.elf.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
3709.1.0truefilefile.elf.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
3719.1.0truefilefile.elf.header.abi_versionkeywordextendedVersion of the ELF Application Binary Interface (ABI).
3729.1.0truefilefile.elf.header.classkeywordextendedHeader class of the ELF file.
3739.1.0truefilefile.elf.header.datakeywordextendedData table of the ELF header.
3749.1.0truefilefile.elf.header.entrypointlongextendedHeader entrypoint of the ELF file.
3759.1.0truefilefile.elf.header.object_versionkeywordextended"0x1" for original ELF files.
3769.1.0truefilefile.elf.header.os_abikeywordextendedApplication Binary Interface (ABI) of the Linux OS.
3779.1.0truefilefile.elf.header.typekeywordextendedHeader type of the ELF file.
3789.1.0truefilefile.elf.header.versionkeywordextendedVersion of the ELF header.
3799.1.0truefilefile.elf.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in an ELF file.
3809.1.0truefilefile.elf.importsflat_objectextendedarrayList of imported element names and types.
3819.1.0truefilefile.elf.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
3829.1.0truefilefile.elf.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
3839.1.0truefilefile.elf.sectionsnestedextendedarraySection information of the ELF file.
3849.1.0truefilefile.elf.sections.chi2longextendedChi-square probability distribution of the section.
3859.1.0truefilefile.elf.sections.entropylongextendedShannon entropy calculation from the section.
3869.1.0truefilefile.elf.sections.flagskeywordextendedELF Section List flags.
3879.1.0truefilefile.elf.sections.namekeywordextendedELF Section List name.
3889.1.0truefilefile.elf.sections.physical_offsetkeywordextendedELF Section List offset.
3899.1.0truefilefile.elf.sections.physical_sizelongextendedELF Section List physical size.
3909.1.0truefilefile.elf.sections.typekeywordextendedELF Section List type.
3919.1.0truefilefile.elf.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
3929.1.0truefilefile.elf.sections.virtual_addresslongextendedELF Section List virtual address.
3939.1.0truefilefile.elf.sections.virtual_sizelongextendedELF Section List virtual size.
3949.1.0truefilefile.elf.segmentsnestedextendedarrayELF object segment list.
3959.1.0truefilefile.elf.segments.sectionskeywordextendedELF object segment sections.
3969.1.0truefilefile.elf.segments.typekeywordextendedELF object segment type.
3979.1.0truefilefile.elf.shared_librarieskeywordextendedarrayList of shared libraries used by this ELF object.
3989.1.0truefilefile.elf.telfhashkeywordextendedtelfhash hash for ELF file.
3999.1.0truefilefile.extensionkeywordextendedpngFile extension, excluding the leading dot.
4009.1.0truefilefile.fork_namekeywordextendedZone.IdentiferA fork is additional data associated with a filesystem object.
4019.1.0truefilefile.gidkeywordextended1001Primary group ID (GID) of the file.
4029.1.0truefilefile.groupkeywordextendedalicePrimary group name of the file.
4039.1.0truefilefile.hash.cdhashkeywordextended3783b4052fd474dbe30676b45c329e7a6d44acd9The Code Directory (CD) hash of an executable.
4049.1.0truefilefile.hash.md5keywordextendedMD5 hash.
4059.1.0truefilefile.hash.sha1keywordextendedSHA1 hash.
4069.1.0truefilefile.hash.sha256keywordextendedSHA256 hash.
4079.1.0truefilefile.hash.sha384keywordextendedSHA384 hash.
4089.1.0truefilefile.hash.sha512keywordextendedSHA512 hash.
4099.1.0truefilefile.hash.ssdeepkeywordextendedSSDEEP hash.
4109.1.0truefilefile.hash.tlshkeywordextendedTLSH hash.
4119.1.0truefilefile.inodekeywordextended256383Inode representing the file in the filesystem.
4129.1.0truefilefile.macho.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in a Mach-O file.
4139.1.0truefilefile.macho.go_importsflat_objectextendedList of imported Go language element names and types.
4149.1.0truefilefile.macho.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
4159.1.0truefilefile.macho.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
4169.1.0truefilefile.macho.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
4179.1.0truefilefile.macho.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in a Mach-O file.
4189.1.0truefilefile.macho.importsflat_objectextendedarrayList of imported element names and types.
4199.1.0truefilefile.macho.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
4209.1.0truefilefile.macho.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
4219.1.0truefilefile.macho.sectionsnestedextendedarraySection information of the Mach-O file.
4229.1.0truefilefile.macho.sections.entropylongextendedShannon entropy calculation from the section.
4239.1.0truefilefile.macho.sections.namekeywordextendedMach-O Section List name.
4249.1.0truefilefile.macho.sections.physical_sizelongextendedMach-O Section List physical size.
4259.1.0truefilefile.macho.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
4269.1.0truefilefile.macho.sections.virtual_sizelongextendedMach-O Section List virtual size. This is always the same as `physical_size`.
4279.1.0truefilefile.macho.symhashkeywordextendedd3ccf195b62a9279c3c19af1080497ecA hash of the imports in a Mach-O file.
4289.1.0truefilefile.mime_typekeywordextendedMedia type of file, document, or arrangement of bytes.
4299.1.0truefilefile.modekeywordextended0640Mode of the file in octal representation.
4309.1.0truefilefile.mtimedateextendedLast time the file content was modified.
4319.1.0truefilefile.namekeywordextendedexample.pngName of the file including the extension, without the directory.
4329.1.0truefilefile.origin_referrer_urlkeywordextendedhttp://example.com/article1.htmlThe URL of the webpage that linked to the file.
4339.1.0truefilefile.origin_urlkeywordextendedhttp://example.com/imgs/article1_img1.jpgThe URL where the file is hosted.
4349.1.0truefilefile.ownerkeywordextendedaliceFile owner's username.
4359.1.0truefilefile.pathkeywordextended/home/alice/example.pngFull path to the file, including the file name.
4369.1.0truefilefile.pe.architecturekeywordextendedx64CPU architecture target for the file.
4379.1.0truefilefile.pe.companykeywordextendedMicrosoft CorporationInternal company name of the file, provided at compile-time.
4389.1.0truefilefile.pe.descriptionkeywordextendedPaintInternal description of the file, provided at compile-time.
4399.1.0truefilefile.pe.file_versionkeywordextended6.3.9600.17415Process name.
4409.1.0truefilefile.pe.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in a PE file.
4419.1.0truefilefile.pe.go_importsflat_objectextendedList of imported Go language element names and types.
4429.1.0truefilefile.pe.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
4439.1.0truefilefile.pe.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
4449.1.0truefilefile.pe.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
4459.1.0truefilefile.pe.imphashkeywordextended0c6803c4e922103c4dca5963aad36ddfA hash of the imports in a PE file.
4469.1.0truefilefile.pe.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in a PE file.
4479.1.0truefilefile.pe.importsflat_objectextendedarrayList of imported element names and types.
4489.1.0truefilefile.pe.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
4499.1.0truefilefile.pe.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
4509.1.0truefilefile.pe.original_file_namekeywordextendedMSPAINT.EXEInternal name of the file, provided at compile-time.
4519.1.0truefilefile.pe.pehashkeywordextended73ff189b63cd6be375a7ff25179a38d347651975A hash of the PE header and data from one or more PE sections.
4529.1.0truefilefile.pe.productkeywordextendedMicrosoft® Windows® Operating SystemInternal product name of the file, provided at compile-time.
4539.1.0truefilefile.pe.sectionsnestedextendedarraySection information of the PE file.
4549.1.0truefilefile.pe.sections.entropylongextendedShannon entropy calculation from the section.
4559.1.0truefilefile.pe.sections.namekeywordextendedPE Section List name.
4569.1.0truefilefile.pe.sections.physical_sizelongextendedPE Section List physical size.
4579.1.0truefilefile.pe.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
4589.1.0truefilefile.pe.sections.virtual_sizelongextendedPE Section List virtual size. This is always the same as `physical_size`.
4599.1.0truefilefile.sizelongextended16384File size in bytes.
4609.1.0truefilefile.target_pathkeywordextendedTarget path for symlinks.
4619.1.0truefilefile.typekeywordextendedfileFile type (file, dir, or symlink).
4629.1.0truefilefile.uidkeywordextended1001The user ID (UID) or security identifier (SID) of the file owner.
4639.1.0truefilefile.x509.alternative_nameskeywordextendedarray*.elastic.coList of subject alternative names (SAN).
4649.1.0truefilefile.x509.issuer.common_namekeywordextendedarrayExample SHA2 High Assurance Server CAList of common name (CN) of issuing certificate authority.
4659.1.0truefilefile.x509.issuer.countrykeywordextendedarrayUSList of country \(C) codes
4669.1.0truefilefile.x509.issuer.distinguished_namekeywordextendedC=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CADistinguished name (DN) of issuing certificate authority.
4679.1.0truefilefile.x509.issuer.localitykeywordextendedarrayMountain ViewList of locality names (L)
4689.1.0truefilefile.x509.issuer.organizationkeywordextendedarrayExample IncList of organizations (O) of issuing certificate authority.
4699.1.0truefilefile.x509.issuer.organizational_unitkeywordextendedarraywww.example.comList of organizational units (OU) of issuing certificate authority.
4709.1.0truefilefile.x509.issuer.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
4719.1.0truefilefile.x509.not_afterdateextended2020-07-16T03:15:39ZTime at which the certificate is no longer considered valid.
4729.1.0truefilefile.x509.not_beforedateextended2019-08-16T01:40:25ZTime at which the certificate is first considered valid.
4739.1.0truefilefile.x509.public_key_algorithmkeywordextendedRSAAlgorithm used to generate the public key.
4749.1.0truefilefile.x509.public_key_curvekeywordextendednistp521The curve used by the elliptic curve public key algorithm. This is algorithm specific.
4759.1.0falsefilefile.x509.public_key_exponentlongextended65537Exponent used to derive the public key. This is algorithm specific.
4769.1.0truefilefile.x509.public_key_sizelongextended2048The size of the public key space in bits.
4779.1.0truefilefile.x509.serial_numberkeywordextended55FBB9C7DEBF09809D12CCAAUnique serial number issued by the certificate authority.
4789.1.0truefilefile.x509.signature_algorithmkeywordextendedSHA256-RSAIdentifier for certificate signature algorithm.
4799.1.0truefilefile.x509.subject.common_namekeywordextendedarrayshared.global.example.netList of common names (CN) of subject.
4809.1.0truefilefile.x509.subject.countrykeywordextendedarrayUSList of country \(C) code
4819.1.0truefilefile.x509.subject.distinguished_namekeywordextendedC=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.netDistinguished name (DN) of the certificate subject entity.
4829.1.0truefilefile.x509.subject.localitykeywordextendedarraySan FranciscoList of locality names (L)
4839.1.0truefilefile.x509.subject.organizationkeywordextendedarrayExample, Inc.List of organizations (O) of subject.
4849.1.0truefilefile.x509.subject.organizational_unitkeywordextendedarrayList of organizational units (OU) of subject.
4859.1.0truefilefile.x509.subject.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
4869.1.0truefilefile.x509.version_numberkeywordextended3Version of x509 format.
4879.1.0truegcp_auditgcp_audit.actor.entity_idnestedcustomThe unique identifier of the entity that performed the audited action
4889.1.0truegcp_auditgcp_audit.authenticationinfo.principalsubjectkeywordcustomexample-principalsubjectThe purpose of this field needs to be defined
4899.1.0truegcp_auditgcp_audit.authenticationinfo.serviceaccountdelegationinfonestedcustomarrayThe service account delegatio information
4909.1.0truegcp_auditgcp_audit.authenticationinfo.serviceaccountkeynamekeywordcustomexample-serviceaccountkeynameThis field captures authentication details whenever an API call or action is performed in GCP
4919.1.0truegcp_auditgcp_audit.authorizationinfonestedcustomarrayThe gcp audit log authorization information
4929.1.0truegcp_auditgcp_audit.event_providerkeywordcustomexample-event_providerThe provider of the audit event
4939.1.0truegcp_auditgcp_audit.labelsobjectcustomThe GCP audit labels information
4949.1.0truegcp_auditgcp_audit.metadata.@typekeywordcustomexample-@typeThe type of GCP audit metadata
4959.1.0truegcp_auditgcp_audit.metadata.accessLevelskeywordcustomarrayexample-accessLevelsThe access levels in the gcp audit metadata
4969.1.0truegcp_auditgcp_audit.metadata.identityDelegationChainkeywordcustomarrayexample-identityDelegationChainThe identity delegation chain in the gcp audit metadata
4979.1.0truegcp_auditgcp_audit.metadata.ingressViolationsnestedcustomarrayThe GCP audit metadata ingress violations information
4989.1.0truegcp_auditgcp_audit.metadata.operationTypekeywordcustomexample-operationTypeThe operation type in the GCP audit metadata
4999.1.0truegcp_auditgcp_audit.metadata.resourceNameskeywordcustomarrayexample-resourceNamesThe resource names in the GCP audit metadata
5009.1.0truegcp_auditgcp_audit.metadata.securityPolicyInfo.organizationIdkeywordcustomexample-organizationIdThe organization identifier in the security policy information
5019.1.0truegcp_auditgcp_audit.metadata.securityPolicyInfo.servicePerimeterNamekeywordcustomexample-servicePerimeterNameThe service perimeter in the security policy information
5029.1.0truegcp_auditgcp_audit.metadata.usedResources.attachedDisksnestedcustomarrayThe attached disks in the used resources
5039.1.0truegcp_auditgcp_audit.metadata.violationReasonkeywordcustomexample-violationReasonThe violation reason information stored in the metadata
5049.1.0truegcp_auditgcp_audit.metadata.vpcServiceControlsUniqueIdkeywordcustomexample-vpcServiceControlsUniqueIdThe VPC service controls unique identifier in the metadata
5059.1.0truegcp_auditgcp_audit.numresponseitemslongcustom12345Number of items returned in the response
5069.1.0truegcp_auditgcp_audit.operation.idkeywordcustomexample-idAn identifier for the audit log operation
5079.1.0truegcp_auditgcp_audit.orgpolicyviolationinfo.payload.key1keywordcustomexample-key1The key in the payload policy violatio information
5089.1.0truegcp_auditgcp_audit.orgpolicyviolationinfo.payload.key2keywordcustomexample-key2The key in the payload policy violatio information
5099.1.0truegcp_auditgcp_audit.orgpolicyviolationinfo.resourcetags.instance_idkeywordcustomexample-instance_idThe insance ID present in the resource tags in the policy violation information
5109.1.0truegcp_auditgcp_audit.orgpolicyviolationinfo.resourcetags.zonekeywordcustomexample-zoneThe zone present in the resource tags in the policy violation information
5119.1.0truegcp_auditgcp_audit.related.entitynestedcustomInformation about related entities connected to the audited operation
5129.1.0truegcp_auditgcp_audit.request.@typekeywordcustomexample-@typeThe message type of the request payload
5139.1.0truegcp_auditgcp_audit.request.apiVersionkeywordcustomexample-apiVersionThe version of the API used in the request
5149.1.0truegcp_auditgcp_audit.request.diskskeywordcustomarrayexample-disksThe details of the disks in the request information
5159.1.0truegcp_auditgcp_audit.request.familykeywordcustomexample-familyIndicates the resource family or category associated with the audit request
5169.1.0truegcp_auditgcp_audit.request.guestOsFeaturesnestedcustomarraySpecifies the operating system features requested for a guest VM instance
5179.1.0truegcp_auditgcp_audit.request.kindkeywordcustomexample-kindIdentifies the type of API resource or operation object in the request
5189.1.0truegcp_auditgcp_audit.request.machineTypekeywordcustomexample-machineTypeThe Compute Engine machine type (CPU/memory configuration) requested for a VM
5199.1.0truegcp_auditgcp_audit.request.metadata.creationTimestampdatecustom2023-01-01T00:00:00.000ZThe timestamp indicating when the resource was created
5209.1.0truegcp_auditgcp_audit.request.namekeywordcustomexample-nameThe name assigned to the resource being created or modified
5219.1.0truegcp_auditgcp_audit.request.networkInterfacesnestedcustomarrayThe list of network interfaces attached to a VM (e.g., IPs, subnets, VPCs)
5229.1.0truegcp_auditgcp_audit.request.pageSizekeywordcustomexample-pageSizeThe maximum number of items to return in a paginated API response
5239.1.0truegcp_auditgcp_audit.request.page_tokenkeywordcustomexample-page_tokenA continuation token to fetch the next page of results in paginated requests
5249.1.0truegcp_auditgcp_audit.request.policy.bindingsnestedcustomarrayThe IAM role-to-member mappings defined in a policy
5259.1.0truegcp_auditgcp_audit.request.policy.etagkeywordcustomexample-etagA unique identifier used for concurrency control when updating an IAM policy
5269.1.0truegcp_auditgcp_audit.request.policyvaluekeywordcustomexample-policyvalueThe full IAM policy object or value applied to a resource
5279.1.0truegcp_auditgcp_audit.request.rawDisk.sourcekeywordcustomexample-sourceThe source disk or image used when creating a new raw disk
5289.1.0truegcp_auditgcp_audit.request.resourcekeywordcustomexample-resourceSpecifies the type or specification of the resource targeted in the request
5299.1.0truegcp_auditgcp_audit.request.resourceNamekeywordcustomexample-resourceNameThe fully qualified name of the resource on which the action is performed
5309.1.0truegcp_auditgcp_audit.request.serviceAccountsnestedcustomarrayLists the service accounts associated with the resource (e.g., attached to a VM)
5319.1.0truegcp_auditgcp_audit.request.sourceTypekeywordcustomexample-sourceTypeIndicates the origin type of the resource or workload (e.g., image, snapshot, or template)
5329.1.0truegcp_auditgcp_audit.request.spec.groupnestedcustomarrayRepresents the API group of the resource specification, commonly used in Kubernetes-style APIs
5339.1.0truegcp_auditgcp_audit.request.spec.nonResourceAttributes.pathkeywordcustomexample-pathThe API path accessed when the request does not target a specific resource (e.g., /healthz)
5349.1.0truegcp_auditgcp_audit.request.spec.nonResourceAttributes.verbkeywordcustomexample-verbThe HTTP verb or action used in the non-resource request (e.g., get, list, create)
5359.1.0truegcp_auditgcp_audit.request.spec.strategy.$retainKeyskeywordcustomexample-$retainKeysIndicates which keys should be retained when applying a strategy-based resource update.
5369.1.0truegcp_auditgcp_audit.request.spec.template.specobjectcustomContains the detailed specification template for the resource (e.g., pod spec in GKE).
5379.1.0truegcp_auditgcp_audit.request.spec.userkeywordcustomexample-userThe user identity specified in the resource configuration or request
5389.1.0truegcp_auditgcp_audit.request.status.allowedbooleancustomTrueIndicates whether the requested action was authorized (true) or denied (false)
5399.1.0truegcp_auditgcp_audit.resourcelocation.currentlocationnestedcustomarraySpecifies the geographic location or region where the resource currently resides
5409.1.0truegcp_auditgcp_audit.resourcenamekeywordcustomexample-resourcenameThe name of the resource that was accessed or modified in the audit event
5419.1.0truegcp_auditgcp_audit.response.@typekeywordcustomexample-@typeThe message type of the response payload
5429.1.0truegcp_auditgcp_audit.response.apiVersionkeywordcustomexample-apiVersionSpecifies the API version used in the response.
5439.1.0truegcp_auditgcp_audit.response.bindingsnestedcustomarrayDefines role bindings that associate users or groups with roles.
5449.1.0truegcp_auditgcp_audit.response.details.groupkeywordcustomexample-groupIndicates the group of the resource in the response details.
5459.1.0truegcp_auditgcp_audit.response.details.kindkeywordcustomexample-kindSpecifies the kind of the resource in the response details.
5469.1.0truegcp_auditgcp_audit.response.details.namekeywordcustomexample-nameProvides the name of the resource in the response details.
5479.1.0truegcp_auditgcp_audit.response.details.uidkeywordcustomexample-uidRepresents the unique identifier (UID) of the resource.
5489.1.0truegcp_auditgcp_audit.response.etagkeywordcustomexample-etagETag value used for optimistic concurrency control.
5499.1.0truegcp_auditgcp_audit.response.idkeywordcustomexample-idUnique identifier of the resource in the response.
5509.1.0truegcp_auditgcp_audit.response.insertTimekeywordcustomexample-insertTimeTimestamp when the resource was inserted.
5519.1.0truegcp_auditgcp_audit.response.kindkeywordcustomexample-kindSpecifies the type or category of the resource.
5529.1.0truegcp_auditgcp_audit.response.metadata.annotationsobjectcustomAnnotations metadata associated with the resource.
5539.1.0truegcp_auditgcp_audit.response.metadata.creationTimestampdatecustom2023-01-01T00:00:00.000ZTimestamp of when the resource was created.
5549.1.0truegcp_auditgcp_audit.response.metadata.generationkeywordcustomexample-generationVersion number or generation of the resource.
5559.1.0truegcp_auditgcp_audit.response.metadata.labelsobjectcustomLabels metadata assigned to the resource.
5569.1.0truegcp_auditgcp_audit.response.metadata.managedFieldsnestedcustomarrayManaged fields metadata describing changes to the resource.
5579.1.0truegcp_auditgcp_audit.response.metadata.namekeywordcustomexample-nameName of the resource in the metadata section.
5589.1.0truegcp_auditgcp_audit.response.metadata.namespacekeywordcustomexample-namespaceNamespace associated with the resource.
5599.1.0truegcp_auditgcp_audit.response.metadata.resourceVersionkeywordcustomexample-resourceVersionResource version used for concurrency control.
5609.1.0truegcp_auditgcp_audit.response.metadata.uidkeywordcustomexample-uidUnique identifier (UID) of the resource in metadata.
5619.1.0truegcp_auditgcp_audit.response.namekeywordcustomexample-nameName of the resource defined in the response.
5629.1.0truegcp_auditgcp_audit.response.operationTypekeywordcustomexample-operationTypeSpecifies the type of operation performed.
5639.1.0truegcp_auditgcp_audit.response.progresskeywordcustomexample-progressIndicates progress of the requested operation.
5649.1.0truegcp_auditgcp_audit.response.selfLinkkeywordcustomexample-selfLinkSelf-link URL for accessing the resource.
5659.1.0truegcp_auditgcp_audit.response.selfLinkWithIdkeywordcustomexample-selfLinkWithIdSelf-link URL including the resource identifier.
5669.1.0truegcp_auditgcp_audit.response.spec.groupnestedcustomarrayDefines a group specification for the resource.
5679.1.0truegcp_auditgcp_audit.response.spec.nonResourceAttributes.pathkeywordcustomexample-pathPath value for non-resource attribute specifications.
5689.1.0truegcp_auditgcp_audit.response.spec.nonResourceAttributes.verbkeywordcustomexample-verbHTTP verb associated with the non-resource attribute.
5699.1.0truegcp_auditgcp_audit.response.spec.progressDeadlineSecondskeywordcustomexample-progressDeadlineSecondsDeadline in seconds for operation progress.
5709.1.0truegcp_auditgcp_audit.response.spec.replicaskeywordcustomexample-replicasNumber of replicas defined for the resource.
5719.1.0truegcp_auditgcp_audit.response.spec.revisionHistoryLimitkeywordcustomexample-revisionHistoryLimitNumber of revisions to retain for rollback.
5729.1.0truegcp_auditgcp_audit.response.spec.selector.matchLabels.k8s-appkeywordcustomexample-k8s-appMatch label used to identify Kubernetes apps.
5739.1.0truegcp_auditgcp_audit.response.spec.strategy.rollingUpdate.maxSurgekeywordcustomexample-maxSurgeMaximum number of pods that can be scheduled above desired replicas during update.
5749.1.0truegcp_auditgcp_audit.response.spec.strategy.rollingUpdate.maxUnavailablekeywordcustomexample-maxUnavailableMaximum number of pods that can be unavailable during update.
5759.1.0truegcp_auditgcp_audit.response.spec.strategy.typekeywordcustomexample-typeStrategy type used for rolling updates.
5769.1.0truegcp_auditgcp_audit.response.spec.template.metadata.annotationsobjectcustomAnnotations in the pod template metadata.
5779.1.0truegcp_auditgcp_audit.response.spec.template.metadata.creationTimestampdatecustom2023-01-01T00:00:00.000ZCreation timestamp of the pod template.
5789.1.0truegcp_auditgcp_audit.response.spec.template.metadata.labels.k8s-appkeywordcustomexample-k8s-appLabels in the pod template metadata.
5799.1.0truegcp_auditgcp_audit.response.spec.template.spec.containersnestedcustomList of containers defined in the pod specification.
5809.1.0truegcp_auditgcp_audit.response.spec.template.spec.dnsPolicykeywordcustomexample-dnsPolicyDNS policy applied to the pod specification.
5819.1.0truegcp_auditgcp_audit.response.spec.template.spec.nodeSelectorobjectcustomNode selector used to schedule the pod.
5829.1.0truegcp_auditgcp_audit.response.spec.template.spec.priorityClassNamekeywordcustomexample-priorityClassNamePriority class name assigned to the pod.
5839.1.0truegcp_auditgcp_audit.response.spec.template.spec.restartPolicykeywordcustomexample-restartPolicyRestart policy applied to the pod.
5849.1.0truegcp_auditgcp_audit.response.spec.template.spec.schedulerNamekeywordcustomexample-schedulerNameScheduler name used for the pod scheduling.
5859.1.0truegcp_auditgcp_audit.response.spec.template.spec.securityContext.fsGroupkeywordcustomexample-fsGroupFile system group ID in the pod security context.
5869.1.0truegcp_auditgcp_audit.response.spec.template.spec.securityContext.runAsGroupkeywordcustomexample-runAsGroupRun-as group ID in the pod security context.
5879.1.0truegcp_auditgcp_audit.response.spec.template.spec.securityContext.runAsUserkeywordcustomexample-runAsUserRun-as user ID in the pod security context.
5889.1.0truegcp_auditgcp_audit.response.spec.template.spec.serviceAccountkeywordcustomexample-serviceAccountService account associated with the pod.
5899.1.0truegcp_auditgcp_audit.response.spec.template.spec.serviceAccountNamekeywordcustomexample-serviceAccountNameName of the service account assigned to the pod.
5909.1.0truegcp_auditgcp_audit.response.spec.template.spec.terminationGracePeriodSecondskeywordcustomexample-terminationGracePeriodSecondsTime in seconds before terminating the pod.
5919.1.0truegcp_auditgcp_audit.response.spec.template.spec.tolerationsnestedcustomarrayTolerations applied to the pod specification.
5929.1.0truegcp_auditgcp_audit.response.spec.template.spec.topologySpreadConstraintsnestedcustomarrayTopology spread constraints for distributing pods.
5939.1.0truegcp_auditgcp_audit.response.spec.template.spec.volumesnestedcustomarrayVolumes defined in the pod specification.
5949.1.0truegcp_auditgcp_audit.response.spec.userkeywordcustomexample-userUser associated with the resource specification.
5959.1.0truegcp_auditgcp_audit.response.startTimekeywordcustomexample-startTimeStart time of the operation or process.
5969.1.0truegcp_auditgcp_audit.response.status.allowedbooleancustomTrueIndicates whether the request or action was allowed.
5979.1.0truegcp_auditgcp_audit.response.status.availableReplicaskeywordcustomexample-availableReplicasNumber of replicas available at the time of the response.
5989.1.0truegcp_auditgcp_audit.response.status.conditionsnestedcustomarrayConditions describing the current status of the resource.
5999.1.0truegcp_auditgcp_audit.response.status.observedGenerationkeywordcustomexample-observedGenerationMost recent observed generation of the resource.
6009.1.0truegcp_auditgcp_audit.response.status.readyReplicaskeywordcustomexample-readyReplicasNumber of replicas ready for service.
6019.1.0truegcp_auditgcp_audit.response.status.reasonkeywordcustomexample-reasonReason for the current status of the resource.
6029.1.0truegcp_auditgcp_audit.response.status.replicaskeywordcustomexample-replicasTotal number of replicas of the resource.
6039.1.0truegcp_auditgcp_audit.response.status.updatedReplicaskeywordcustomexample-updatedReplicasNumber of replicas updated to the latest version.
6049.1.0truegcp_auditgcp_audit.response.statusvaluekeywordcustomexample-statusvalueCurrent status value of the resource.
6059.1.0truegcp_auditgcp_audit.response.targetIdkeywordcustomexample-targetIdIdentifier of the target resource.
6069.1.0truegcp_auditgcp_audit.response.targetLinkkeywordcustomexample-targetLinkTarget link URL of the resource.
6079.1.0truegcp_auditgcp_audit.response.userkeywordcustomexample-userUser who initiated the request or operation.
6089.1.0truegcp_auditgcp_audit.response.zonekeywordcustomexample-zoneZone in which the resource resides.
6099.1.0truegcp_auditgcp_audit.servicenamekeywordcustomexample-servicenameThe name of the Google Cloud service that processed the request
6109.1.0truegcp_auditgcp_audit.status.codelongcustom12345Numeric status code representing the outcome of the request
6119.1.0truegcp_auditgcp_audit.status.detailsnestedcustomarrayThe purpose of this field needs to be defined
6129.1.0truegcp_auditgcp_audit.status.messagekeywordcustomexample-messageA human-readable description of the status code
6139.1.0truegcp_auditgcp_audit.target.entity_idnestedcustomThe unique identifier of the target entity involved in the audited operation
6149.1.0truegcp_auditgcp_audit.typekeywordcustomexample-typeThe type classification of the audit event
6159.1.0truegcp_computegcp_compute.event_modulekeywordcustomexample-event_moduleThe GCP compute log event module name
6169.1.0truegcp_computegcp_compute.labels.user.goog-gke-nodekeywordcustomexample-goog-gke-nodeA custom label that identifies the Google Kubernetes Engine node associated with the instance
6179.1.0truegcp_computegcp_compute.metrics.firewall.dropped.byteslongcustom12345Represents the number of bytes dropped by the firewall as recorded by GCP Compute metrics
6189.1.0truegcp_computegcp_compute.metrics.firewall.dropped_packets_count.valuelongcustom12345Represents the count of packets dropped by the firewall as measured in GCP Compute metrics
6199.1.0truegcp_computegcp_compute.metrics.instance.cpu.reserved_cores.valuelongcustom12345Indicates the number of CPU cores reserved for the instance specific to GCP Compute metrics
6209.1.0truegcp_computegcp_compute.metrics.instance.cpu.usage.pctfloatcustomShows the CPU usage percentage for the instance according to GCP Compute metrics
6219.1.0truegcp_computegcp_compute.metrics.instance.cpu.usage_time.secfloatcustomRepresents the total CPU usage time in seconds for the instance
6229.1.0truegcp_computegcp_compute.metrics.instance.disk.read.byteslongcustom12345Total number of bytes read from the instance's disks
6239.1.0truegcp_computegcp_compute.metrics.instance.disk.read_ops_count.valuelongcustom12345The count of disk read operations performed on the instance
6249.1.0truegcp_computegcp_compute.metrics.instance.disk.write.byteslongcustom12345Total number of bytes written to the instance's disks
6259.1.0truegcp_computegcp_compute.metrics.instance.disk.write_ops_count.valuelongcustom12345The count of disk write operations performed on the instance
6269.1.0truegcp_computegcp_compute.metrics.instance.memory.balloon.ram_size.valuelongcustom12345The total RAM size reported via memory ballooning for the instance
6279.1.0truegcp_computegcp_compute.metrics.instance.memory.balloon.ram_used.valuelongcustom12345The amount of RAM used as reported by the memory ballooning metrics
6289.1.0truegcp_computegcp_compute.metrics.instance.memory.balloon.swap_in.byteslongcustom12345The number of bytes swapped into memory for the instance
6299.1.0truegcp_computegcp_compute.metrics.instance.memory.balloon.swap_out.byteslongcustom12345The number of bytes swapped out of memory for the instance
6309.1.0truegcp_computegcp_compute.metrics.instance.network.egress.byteslongcustom12345Total outgoing network traffic in bytes for the instance
6319.1.0truegcp_computegcp_compute.metrics.instance.network.egress.packets.countlongcustom12345The count of outgoing network packets for the instance
6329.1.0truegcp_computegcp_compute.metrics.instance.network.ingress.byteslongcustom12345Total incoming network traffic in bytes for the instance
6339.1.0truegcp_computegcp_compute.metrics.instance.network.ingress.packets.countlongcustom12345The count of incoming network packets for the instance
6349.1.0truegcp_computegcp_compute.metrics.instance.uptime.secfloatcustomThe instance uptime in seconds
6359.1.0truegcp_computegcp_compute.metrics.instance.uptime_total.seckeywordcustomexample-secThe total accumulated uptime of the instance in seconds
6369.1.0truegcp_dnsgcp_dns.authanswerbooleancustomTrueIndicates whether the DNS query was authenticated based on the authAnswer flag
6379.1.0truegcp_dnsgcp_dns.destinationIPkeywordcustomexample-destinationIPContains the destination IP address for the DNS query
6389.1.0truegcp_dnsgcp_dns.egresserrorkeywordcustomexample-egresserrorCaptures any error information related to the egress process for the DNS query
6399.1.0truegcp_dnsgcp_dns.protocolkeywordcustomexample-protocolIndicates the network protocol (e.g. TCP UDP) used for the DNS query
6409.1.0truegcp_dnsgcp_dns.querynamekeywordcustomexample-querynameRepresents the fully qualified domain name (FQDN) that was queried
6419.1.0truegcp_dnsgcp_dns.querytypekeywordcustomexample-querytypeSpecifies the type of DNS record being queried
6429.1.0truegcp_dnsgcp_dns.rdatakeywordcustomexample-rdataContains the raw resource record data returned in the DNS response
6439.1.0truegcp_dnsgcp_dns.responsecodekeywordcustomexample-responsecodeIndicates the DNS response code such as "NOERROR"
6449.1.0truegcp_dnsgcp_dns.serverlatencylongcustom12345Measures the latency of the DNS server's response
6459.1.0truegcp_dnsgcp_dns.source_typekeywordcustomexample-source_typeClassifies the type of source resource for the DNS query
6469.1.0truegcp_dnsgcp_dns.sourceipkeywordcustomexample-sourceipContains the IP address from which the DNS query was initiated
6479.1.0truegcp_dnsgcp_dns.sourcenetworkkeywordcustomexample-sourcenetworkRepresents the network segment or identifier associated with the query's source
6489.1.0truegcp_dnsgcp_dns.target_typekeywordcustomexample-target_typeDenotes the type of target resource involved in the DNS query
6499.1.0truegcp_dnsgcp_dns.vminstanceidkeywordcustomexample-vminstanceidHolds the unique identifier of the virtual machine instance that generated the DNS query
6509.1.0truegcp_dnsgcp_dns.vminstancenamekeywordcustomexample-vminstancenameContains the original virtual machine instance name prior to any normalization
6519.1.0truegcp_dnsgcp_dns.vmprojectidkeywordcustomexample-vmprojectidIdentifies the project associated with the virtual machine instance that issued the DNS query
6529.1.0truegcp_dnsgcp_dns.vmzonenamekeywordcustomexample-vmzonenameSpecifies the availability zone of the virtual machine instance
6539.1.0truegcp_firewallgcp_firewall.destinationinstance.project_idkeywordcustomexample-project_idThe project identifier for the destination instance from the GCP firewall logs
6549.1.0truegcp_firewallgcp_firewall.destinationinstance.regionkeywordcustomexample-regionThe region where the destination instance is located
6559.1.0truegcp_firewallgcp_firewall.destinationinstance.vm_namekeywordcustomexample-vm_nameThe name of the destination instance as reported in the firewall log
6569.1.0truegcp_firewallgcp_firewall.destinationinstance.zonekeywordcustomexample-zoneThe availability zone of the destination instance
6579.1.0truegcp_firewallgcp_firewall.destinationvpc.project_idkeywordcustomexample-project_idThe project identifier associated with the destination VPC
6589.1.0truegcp_firewallgcp_firewall.destinationvpc.subnetwork_namekeywordcustomexample-subnetwork_nameThe name of the subnetwork in the destination VPC
6599.1.0truegcp_firewallgcp_firewall.destinationvpc.vpc_namekeywordcustomexample-vpc_nameThe name of the destination VPC
6609.1.0truegcp_firewallgcp_firewall.rule_details.actionkeywordcustomexample-actionThe action (e.g. DENY ALLOW) taken as specified in the firewall rule
6619.1.0truegcp_firewallgcp_firewall.rule_details.directionkeywordcustomexample-directionThe traffic direction (INGRESS or EGRESS) defined in the firewall rule
6629.1.0truegcp_firewallgcp_firewall.rule_details.ip_port_infonestedcustomarrayThe IP protocol specified in the firewall rule
6639.1.0truegcp_firewallgcp_firewall.rule_details.referencekeywordcustomexample-referenceA reference identifier for the firewall rule
6649.1.0truegcp_firewallgcp_firewall.rule_details.source_rangekeywordcustomarrayexample-source_rangeAn array of source IP ranges specified in the firewall rule
6659.1.0truegcp_firewallgcp_firewall.rule_details.target_tagkeywordcustomarrayexample-target_tagAn array of target tags defined in the firewall rule
6669.1.0truegcp_firewallgcp_firewall.rule_namekeywordcustomexample-rule_nameThe firewall rul name triggered in the GCP firewall allow/block action
6679.1.0truegcp_loadbalancergcp_loadbalancer.backend_service_namekeywordcustomexample-backend_service_nameThe backend service name used by the load balancer
6689.1.0truegcp_loadbalancergcp_loadbalancer.cacheHitbooleancustomTrueIndicates whether the load balancer served the response from cache
6699.1.0truegcp_loadbalancergcp_loadbalancer.cacheIdkeywordcustomexample-cacheIdThe cache identifier used by the load balancer
6709.1.0truegcp_loadbalancergcp_loadbalancer.cacheLookupbooleancustomTrueIndicates whether a cache lookup was performed by the load balancer
6719.1.0truegcp_loadbalancergcp_loadbalancer.forwarding_rule_namekeywordcustomexample-forwarding_rule_nameThe name of the forwarding rule associated with the load balancer
6729.1.0truegcp_loadbalancergcp_loadbalancer.statusDetailskeywordcustomexample-statusDetailsAdditional status details provided by the load balancer
6739.1.0truegcp_loadbalancergcp_loadbalancer.target_proxy_namekeywordcustomexample-target_proxy_nameThe target proxy name configured for the load balancer
6749.1.0truegcp_loadbalancergcp_loadbalancer.url_map_namekeywordcustomexample-url_map_nameThe URL map name used by the load balancer
6759.1.0truegcp_vpcflowgcp_vpcflow.dest_instance.project_idkeywordcustomexample-project_idThe project ID that owns the destination VM instance receiving the traffic
6769.1.0truegcp_vpcflowgcp_vpcflow.dest_instance.regionkeywordcustomexample-regionRegion in which the destination instance is deployed useful for analyzing cross-region traffic
6779.1.0truegcp_vpcflowgcp_vpcflow.dest_instance.vm_namekeywordcustomexample-vm_nameThe name of the destination virtual machine used to determine which instance received the traffic
6789.1.0truegcp_vpcflowgcp_vpcflow.dest_instance.zonekeywordcustomexample-zoneZone of the destination VM providing a more granular location than region
6799.1.0truegcp_vpcflowgcp_vpcflow.dest_vpc.project_idkeywordcustomexample-project_idProject ID associated with the destination VPC network
6809.1.0truegcp_vpcflowgcp_vpcflow.dest_vpc.subnetwork_namekeywordcustomexample-subnetwork_nameThe name of the subnetwork within the destination VPC
6819.1.0truegcp_vpcflowgcp_vpcflow.dest_vpc.vpc_namekeywordcustomexample-vpc_nameName of the destination Virtual Private Cloud network where traffic is received
6829.1.0truegcp_vpcflowgcp_vpcflow.reporterkeywordcustomexample-reporterIndicates which side (source or destination) of the network connection reported the flow. Values can be "SRC" or "DEST"
6839.1.0truegcp_vpcflowgcp_vpcflow.rtt_mseclongcustom12345Round-trip time in milliseconds for the connection represented in the log
6849.1.0truegcp_vpcflowgcp_vpcflow.src_instance.project_idkeywordcustomexample-project_idGCP project ID where source instance resides. Identifies which project owns the VM that initiated the traffic.
6859.1.0truegcp_vpcflowgcp_vpcflow.src_instance.regionkeywordcustomexample-regionThe geographical region of the source VM instance. Helps in mapping network flows across geographic locations
6869.1.0truegcp_vpcflowgcp_vpcflow.src_instance.vm_namekeywordcustomexample-vm_nameName of virtual machine that originated the traffic. Useful for correlating flow data with VM-level logs or events.
6879.1.0truegcp_vpcflowgcp_vpcflow.src_instance.zonekeywordcustomexample-zoneThe specific GCP zone (within a region) where the source VM is located
6889.1.0truegcp_vpcflowgcp_vpcflow.src_vpc.project_idkeywordcustomexample-project_idProject ID associated with the source VPC network. Useful for identifying VPC ownership in multi-project environments
6899.1.0truegcp_vpcflowgcp_vpcflow.src_vpc.subnetwork_namekeywordcustomexample-subnetwork_nameThe name of the subnetwork (subnet) within the VPC where the source VM resides
6909.1.0truegcp_vpcflowgcp_vpcflow.src_vpc.vpc_namekeywordcustomexample-vpc_nameThe name of the source Virtual Private Cloud network used to send the traffic
6919.1.0falsegen_aigen_ai.agent.descriptionkeywordextendedHelps with math problems; Generates fiction storiesFree-form description of the GenAI agent provided by the application.
6929.1.0truegen_aigen_ai.agent.idkeywordextendedasst_5j66UpCpwteGg4YSxUnt7lPYThe unique identifier of the GenAI agent.
6939.1.0truegen_aigen_ai.agent.namekeywordextendedMath Tutor; Fiction WriterHuman-readable name of the GenAI agent provided by the application.
6949.1.0truegen_aigen_ai.operation.namekeywordextendedchat; text_completion; embeddingsThe name of the operation being performed.
6959.1.0truegen_aigen_ai.output.typekeywordextendedtext; json; imageRepresents the content type requested by the client.
6969.1.0truegen_aigen_ai.request.choice.countintegerextended3The target number of candidate completions to return.
6979.1.0truegen_aigen_ai.request.encoding_formatskeywordextended["float", "binary"]The encoding formats requested in an embeddings operation, if specified.
6989.1.0truegen_aigen_ai.request.frequency_penaltydoubleextended0.1The frequency penalty setting for the GenAI request.
6999.1.0truegen_aigen_ai.request.max_tokensintegerextended100The maximum number of tokens the model generates for a request.
7009.1.0truegen_aigen_ai.request.modelkeywordextendedgpt-4The name of the GenAI model a request is being made to.
7019.1.0truegen_aigen_ai.request.presence_penaltydoubleextended0.1The presence penalty setting for the GenAI request.
7029.1.0truegen_aigen_ai.request.seedintegerextended100Requests with same seed value more likely to return same result.
7039.1.0truegen_aigen_ai.request.stop_sequenceskeywordextended["forest", "lived"]List of sequences that the model will use to stop generating further tokens.
7049.1.0truegen_aigen_ai.request.temperaturedoubleextended0.0The temperature setting for the GenAI request.
7059.1.0truegen_aigen_ai.request.top_kdoubleextended1.0The top_k sampling setting for the GenAI request.
7069.1.0truegen_aigen_ai.request.top_pdoubleextended1.0The top_p sampling setting for the GenAI request.
7079.1.0truegen_aigen_ai.response.finish_reasonskeywordextended["stop", "length"]Array of reasons the model stopped generating tokens, corresponding to each generation received.
7089.1.0truegen_aigen_ai.response.idkeywordextendedchatcmpl-123The unique identifier for the completion.
7099.1.0truegen_aigen_ai.response.modelkeywordextendedgpt-4-0613The name of the model that generated the response.
7109.1.0truegen_aigen_ai.systemkeywordextendedopenaiThe Generative AI product as identified by the client or server instrumentation.
7119.1.0truegen_aigen_ai.token.typekeywordextendedinput; outputThe type of token being counted.
7129.1.0truegen_aigen_ai.tool.call.idkeywordextendedcall_mszuSIzqtI65i1wAUOE8w5H4The tool call identifier.
7139.1.0truegen_aigen_ai.tool.namekeywordextendedFlightsName of the tool utilized by the agent.
7149.1.0truegen_aigen_ai.tool.typekeywordextendedfunction; extension; datastoreType of the tool utilized by the agent
7159.1.0truegen_aigen_ai.usage.input_tokensintegerextended100The number of tokens used in the GenAI input (prompt).
7169.1.0truegen_aigen_ai.usage.output_tokensintegerextended180The number of tokens used in the GenAI response (completion).
7179.1.0truegoogle_sccgoogle_scc.asset.access_policy.create_timedatecustom2023-01-01T00:00:00.000ZThe timestamp when the AccessPolicy was created
7189.1.0truegoogle_sccgoogle_scc.asset.access_policy.etagkeywordcustomexample-etagAn opaque identifier for the current version of the AccessPolicy
7199.1.0truegoogle_sccgoogle_scc.asset.access_policy.namekeywordcustomexample-nameThe full resource name of the AccessPolicy in VPC Service Controls
7209.1.0truegoogle_sccgoogle_scc.asset.access_policy.parentkeywordcustomexample-parentThe parent resource of this AccessPolicy in the Cloud Resource Hierarchy
7219.1.0truegoogle_sccgoogle_scc.asset.access_policy.titlekeywordcustomexample-titleA human-readable title for the AccessPolicy
7229.1.0truegoogle_sccgoogle_scc.asset.access_policy.update_timedatecustom2023-01-01T00:00:00.000ZThe timestamp when the AccessPolicy was last updated
7239.1.0truegoogle_sccgoogle_scc.asset.ancestorsnestedcustomThe complete ancestry path of the asset in the Google Cloud resource hierarchy
7249.1.0truegoogle_sccgoogle_scc.asset.asset_typekeywordcustomexample-asset_typeThe type of the Google Cloud resource as defined in the Cloud Asset Inventory
7259.1.0truegoogle_sccgoogle_scc.asset.iam_policy.bindingsnestedcustomThe collection of IAM policy bindings that associate members to roles
7269.1.0truegoogle_sccgoogle_scc.asset.iam_policy.etagkeywordcustomexample-etagA hash value used to perform optimistic concurrency control
7279.1.0truegoogle_sccgoogle_scc.asset.iam_policy.versionlongcustom12345The version number that specifies the format of the IAM policy
7289.1.0truegoogle_sccgoogle_scc.asset.namekeywordcustomexample-nameThe full name of the asset following Google Cloud resource naming conventions
7299.1.0truegoogle_sccgoogle_scc.asset.org_policynestedcustomOrganization policy constraints applied to this asset
7309.1.0truegoogle_sccgoogle_scc.asset.os_inventory.itemsnestedcustomDetailed inventory items related to the VM including installed packages
7319.1.0truegoogle_sccgoogle_scc.asset.os_inventory.namekeywordcustomexample-nameThe full resource name of the OS inventory data
7329.1.0truegoogle_sccgoogle_scc.asset.os_inventory.os_info.architecturekeywordcustomexample-architectureThe system architecture of the operating system
7339.1.0truegoogle_sccgoogle_scc.asset.os_inventory.os_info.hostnamekeywordcustomexample-hostnameThe hostname of the virtual machine as reported by the operating system
7349.1.0truegoogle_sccgoogle_scc.asset.os_inventory.os_info.kernel_releasekeywordcustomexample-kernel_releaseThe release identifier of the operating system kernel
7359.1.0truegoogle_sccgoogle_scc.asset.os_inventory.os_info.kernel_versionkeywordcustomexample-kernel_versionThe version of the operating system kernel
7369.1.0truegoogle_sccgoogle_scc.asset.os_inventory.os_info.long_namekeywordcustomexample-long_nameThe complete descriptive name of the operating system
7379.1.0truegoogle_sccgoogle_scc.asset.os_inventory.os_info.osconfigagent_versionkeywordcustomexample-osconfigagent_versionThe version of the Google Cloud OS Config agent
7389.1.0truegoogle_sccgoogle_scc.asset.os_inventory.os_info.short_namekeywordcustomexample-short_nameThe abbreviated name of the operating system family
7399.1.0truegoogle_sccgoogle_scc.asset.os_inventory.os_info.versionkeywordcustomexample-versionThe version number or identifier of the operating system
7409.1.0truegoogle_sccgoogle_scc.asset.os_inventory.update_timedatecustom2023-01-01T00:00:00.000ZThe timestamp when the OS inventory information was last collected
7419.1.0truegoogle_sccgoogle_scc.asset.prior.ancestorsnestedcustomThe ancestry path of the asset in its previous state
7429.1.0truegoogle_sccgoogle_scc.asset.prior.namekeywordcustomexample-nameThe full name of the asset in its previous state
7439.1.0truegoogle_sccgoogle_scc.asset.prior.resource.data.analyticsEnabledbooleancustomTrueBoolean indicating whether analytics features were enabled in previous state
7449.1.0truegoogle_sccgoogle_scc.asset.prior.resource.data.descriptionkeywordcustomexample-descriptionThe description of the resource in its previous state
7459.1.0truegoogle_sccgoogle_scc.asset.prior.resource.data.lifecycleStatekeywordcustomexample-lifecycleStateThe lifecycle state of the resource in its previous state
7469.1.0truegoogle_sccgoogle_scc.asset.prior.resource.data.namekeywordcustomexample-nameThe name of the resource data in its previous state
7479.1.0truegoogle_sccgoogle_scc.asset.prior.resource.data.retentionDayslongcustom12345The number of retention days configured for the resource in its previous state
7489.1.0truegoogle_sccgoogle_scc.asset.prior.resource.discovery.document_urikeywordcustomexample-document_uriThe URI of the discovery document for the resource in its previous state
7499.1.0truegoogle_sccgoogle_scc.asset.prior.resource.discovery.namekeywordcustomexample-nameThe discovery name of the resource in its previous state
7509.1.0truegoogle_sccgoogle_scc.asset.prior.resource.locationkeywordcustomexample-locationThe geographic location of the resource in its previous state
7519.1.0truegoogle_sccgoogle_scc.asset.prior.resource.parentkeywordcustomexample-parentThe parent resource of the asset in its previous state
7529.1.0truegoogle_sccgoogle_scc.asset.prior.resource.versionkeywordcustomexample-versionThe API version of the resource schema in its previous state
7539.1.0truegoogle_sccgoogle_scc.asset.prior.typekeywordcustomexample-typeThe asset type in its previous state before the current change
7549.1.0truegoogle_sccgoogle_scc.asset.prior.update_timedatecustom2023-01-01T00:00:00.000ZThe timestamp when the asset was last updated before the current change
7559.1.0truegoogle_sccgoogle_scc.asset.prior_asset_statekeywordcustomexample-prior_asset_stateThe overall state of the asset before the current change
7569.1.0truegoogle_sccgoogle_scc.asset.related_asset.ancestorsnestedcustomThe ancestry path of related assets
7579.1.0truegoogle_sccgoogle_scc.asset.related_asset.namekeywordcustomexample-nameThe full name of assets that are related to this asset
7589.1.0truegoogle_sccgoogle_scc.asset.related_asset.relationship_typekeywordcustomexample-relationship_typeThe type of relationship between this asset and related assets
7599.1.0truegoogle_sccgoogle_scc.asset.related_asset.typekeywordcustomexample-typeThe asset type of related assets that have a relationship with this asset
7609.1.0truegoogle_sccgoogle_scc.asset.resource.datatextcustomThe complete content and configuration of the resource
7619.1.0truegoogle_sccgoogle_scc.asset.resource.discovery.document_urikeywordcustomexample-document_uriThe URI of the discovery document containing the JSON schema for the current resource
7629.1.0truegoogle_sccgoogle_scc.asset.resource.discovery.namekeywordcustomexample-nameThe discovery name of the current resource
7639.1.0truegoogle_sccgoogle_scc.asset.resource.discovery_document_urikeywordcustomexample-discovery_document_uriThe URL of the discovery document containing the JSON schema definition
7649.1.0truegoogle_sccgoogle_scc.asset.resource.discovery_namekeywordcustomexample-discovery_nameThe JSON schema name listed in the discovery document
7659.1.0truegoogle_sccgoogle_scc.asset.resource.locationkeywordcustomexample-locationThe geographic location or region where the resource is hosted
7669.1.0truegoogle_sccgoogle_scc.asset.resource.parentkeywordcustomexample-parentThe full name of the immediate parent resource in the Google Cloud resource hierarchy
7679.1.0truegoogle_sccgoogle_scc.asset.resource.versionkeywordcustomexample-versionThe API version of the resource schema used to represent this asset
7689.1.0truegoogle_sccgoogle_scc.asset.typekeywordcustomexample-typeThe type of the asset in Google Cloud Asset Inventory
7699.1.0truegoogle_sccgoogle_scc.asset.update_timedatecustom2023-01-01T00:00:00.000ZThe timestamp when the asset was last updated
7709.1.0truegoogle_sccgoogle_scc.asset.window.start_timedatecustom2023-01-01T00:00:00.000ZThe start time of the time window for asset change detection
7719.1.0truegoogle_sccgoogle_scc.finding.access.caller_ipipcustom192.168.1.1The IP address of the entity that triggered the security finding
7729.1.0truegoogle_sccgoogle_scc.finding.access.caller_ip_geo.region_codekeywordcustomexample-region_codeThe geographic region code associated with the caller IP address
7739.1.0truegoogle_sccgoogle_scc.finding.access.method_namekeywordcustomexample-method_nameThe API method or service operation that was accessed when the security event occurred
7749.1.0truegoogle_sccgoogle_scc.finding.access.principal.emailkeywordcustomexample-emailThe email address of the authenticated user or service account
7759.1.0truegoogle_sccgoogle_scc.finding.access.principal.subjectkeywordcustomexample-subjectString representation of the identity of the requesting party
7769.1.0truegoogle_sccgoogle_scc.finding.access.service_account.key_namekeywordcustomexample-key_nameThe name of the service account key that was used for authentication
7779.1.0truegoogle_sccgoogle_scc.finding.access.service_namekeywordcustomexample-service_nameThe name of the Google Cloud service that was accessed
7789.1.0truegoogle_sccgoogle_scc.finding.access.user_agentkeywordcustomexample-user_agentThe user agent string provided by the client that triggered the security finding
7799.1.0truegoogle_sccgoogle_scc.finding.access.user_namekeywordcustomexample-user_nameThe username of the entity involved in the security event
7809.1.0truegoogle_sccgoogle_scc.finding.canonical_namekeywordcustomexample-canonical_nameThe canonical name of the finding in Security Command Center
7819.1.0truegoogle_sccgoogle_scc.finding.categorykeywordcustomexample-categoryThe additional taxonomy group within findings from a given source
7829.1.0truegoogle_sccgoogle_scc.finding.classkeywordcustomexample-classThe class of the finding which can be THREAT VULNERABILITY or MISCONFIGURATION
7839.1.0truegoogle_sccgoogle_scc.finding.compliancesnestedcustomCompliance framework mappings showing how this finding relates to security standards
7849.1.0truegoogle_sccgoogle_scc.finding.contactsobjectcustomContact information for individuals or teams responsible for addressing this finding
7859.1.0truegoogle_sccgoogle_scc.finding.create_timedatecustom2023-01-01T00:00:00.000ZThe timestamp when the finding was first created in Security Command Center
7869.1.0truegoogle_sccgoogle_scc.finding.descriptionkeywordcustomexample-descriptionContains detailed information about the finding including what was detected
7879.1.0truegoogle_sccgoogle_scc.finding.event_timedatecustom2023-01-01T00:00:00.000ZThe timestamp when the underlying security event took place
7889.1.0truegoogle_sccgoogle_scc.finding.external_systemsobjectcustomInformation about external security systems that have processed this finding
7899.1.0truegoogle_sccgoogle_scc.finding.external_urikeywordcustomexample-external_uriThe URI that points to a web page outside of Security Command Center with additional information
7909.1.0truegoogle_sccgoogle_scc.finding.kubernetesobjectcustomKubernetes-specific information for findings related to container workloads
7919.1.0truegoogle_sccgoogle_scc.finding.log_entriesnestedcustomRelated log entries and audit trail information
7929.1.0truegoogle_sccgoogle_scc.finding.mitre_attackobjectcustomMITRE ATT&CK framework tactics techniques and procedures associated with this finding
7939.1.0truegoogle_sccgoogle_scc.finding.mute.initiatorkeywordcustomexample-initiatorThe email address of the user who performed the most recent mute or unmute action
7949.1.0truegoogle_sccgoogle_scc.finding.mute.statekeywordcustomexample-stateThe current mute state of the finding
7959.1.0truegoogle_sccgoogle_scc.finding.mute.update_timedatecustom2023-01-01T00:00:00.000ZThe timestamp when the finding was most recently muted or unmuted
7969.1.0truegoogle_sccgoogle_scc.finding.mute_infoobjectcustomAdditional structured information about mute operations performed on this finding
7979.1.0truegoogle_sccgoogle_scc.finding.namekeywordcustomexample-nameThe relative resource name of this finding
7989.1.0truegoogle_sccgoogle_scc.finding.next_stepskeywordcustomexample-next_stepsRecommended steps to address and remediate the finding
7999.1.0truegoogle_sccgoogle_scc.finding.parentkeywordcustomexample-parentThe relative resource name of the source the finding belongs to
8009.1.0truegoogle_sccgoogle_scc.finding.parent_display_namekeywordcustomexample-parent_display_nameThe human readable display name of the finding source
8019.1.0truegoogle_sccgoogle_scc.finding.resourceobjectcustomDetailed information about the Google Cloud resource associated with this finding
8029.1.0truegoogle_sccgoogle_scc.finding.resource_namekeywordcustomexample-resource_nameThe full resource name of the Google Cloud resource this finding is associated with
8039.1.0truegoogle_sccgoogle_scc.finding.security_marksobjectcustomUser-defined security marks and labels applied to the finding
8049.1.0truegoogle_sccgoogle_scc.finding.severitykeywordcustomexample-severityThe severity of the finding ranging from LOW to CRITICAL
8059.1.0truegoogle_sccgoogle_scc.finding.source_idkeywordcustomexample-source_idThe unique identifier of the security source that generated this finding
8069.1.0truegoogle_sccgoogle_scc.finding.source_propertiesobjectcustomSource-specific properties and metadata managed by the security source
8079.1.0truegoogle_sccgoogle_scc.finding.statekeywordcustomexample-stateThe state of the finding which can be ACTIVE or INACTIVE
8089.1.0truegoogle_sccgoogle_scc.finding.vulnerabilityobjectcustomDetailed vulnerability information including CVE identifiers and CVSS scores
8099.1.0truegoogle_sccgoogle_scc.source.canonical_namekeywordcustomexample-canonical_nameThe canonical name of the Security Command Center source
8109.1.0truegoogle_sccgoogle_scc.source.descriptionkeywordcustomexample-descriptionA detailed description of the security source
8119.1.0truegoogle_sccgoogle_scc.source.display_namekeywordcustomexample-display_nameThe human-readable display name of the security source
8129.1.0truegoogle_sccgoogle_scc.source.idkeywordcustomexample-idThe unique numeric identifier of the security source
8139.1.0truegoogle_sccgoogle_scc.source.namekeywordcustomexample-nameThe full relative resource name of this security source
8149.1.0truegroupgroup.domainkeywordextendedName of the directory the group is a member of.
8159.1.0truegroupgroup.idkeywordextendedUnique identifier for the group on the system/platform.
8169.1.0truegroupgroup.namekeywordextendedName of the group.
8179.1.0truehosthost.architecturekeywordcorex86_64Operating system architecture.
8189.1.0truehosthost.boot.idkeywordextended88a1f0ed-5ae5-41ee-af6b-41921c311872Linux boot uuid taken from /proc/sys/kernel/random/boot_id
8199.1.0truehosthost.cpuobjectcustom"name": "Intel(R) Core(TM) i7-7700HQ CPU", "cores": 4, "speed": 2800CPU-related data.
8209.1.0truehosthost.cpu.coreslongcustom4Number of CPU cores.
8219.1.0truehosthost.cpu.namekeywordcustomIntel(R) Core(TM) i7-7700HQ CPUCPU Model name.
8229.1.0truehosthost.cpu.speedlongcustom2800CPU clock speed.
8239.1.0truehosthost.cpu.usagescaled_floatextendedPercent CPU used, between 0 and 1.
8249.1.0truehosthost.disk.read.byteslongextendedThe number of bytes read by all disks.
8259.1.0truehosthost.disk.write.byteslongextendedThe number of bytes written on all disks.
8269.1.0truehosthost.domainkeywordextendedCONTOSOName of the directory the group is a member of.
8279.1.0truehosthost.geo.city_namekeywordcoreMontrealCity name.
8289.1.0truehosthost.geo.continent_codekeywordcoreNAContinent code.
8299.1.0truehosthost.geo.continent_namekeywordcoreNorth AmericaName of the continent.
8309.1.0truehosthost.geo.country_iso_codekeywordcoreCACountry ISO code.
8319.1.0truehosthost.geo.country_namekeywordcoreCanadaCountry name.
8329.1.0truehosthost.geo.locationgeo_pointcore{ "lon": -73.614830, "lat": 45.505918 }Longitude and latitude.
8339.1.0truehosthost.geo.namekeywordextendedboston-dcUser-defined description of a location.
8349.1.0truehosthost.geo.postal_codekeywordcore94040Postal code.
8359.1.0truehosthost.geo.region_iso_codekeywordcoreCA-QCRegion ISO code.
8369.1.0truehosthost.geo.region_namekeywordcoreQuebecRegion name.
8379.1.0truehosthost.geo.timezonekeywordcoreAmerica/Argentina/Buenos_AiresTime zone.
8389.1.0truehosthost.hostnamekeywordcoreHostname of the host.
8399.1.0truehosthost.idkeywordcoreUnique host id.
8409.1.0truehosthost.ipipcorearrayHost ip addresses.
8419.1.0truehosthost.mackeywordcorearray["00-00-5E-00-53-23", "00-00-5E-00-53-24"]Host MAC addresses.
8429.1.0truehosthost.memoryobjectcustom"total": 100000, "free": 90000, "used": {"percentage": 10}Memory-related data.
8439.1.0truehosthost.memory.freelongcustom1024Free memory in MB.
8449.1.0truehosthost.memory.totallongcustom1024Total memory in MB.
8459.1.0truehosthost.memory.usedobjectcustom"percentage": 10Used memory-related data.
8469.1.0truehosthost.memory.used.percentagelongcustom10Used memory percentage.
8479.1.0truehosthost.namekeywordcoreName of the host.
8489.1.0truehosthost.network.egress.byteslongextendedThe number of bytes sent on all network interfaces.
8499.1.0truehosthost.network.egress.dropslongcustom10Number of dropped transmitted packets.
8509.1.0truehosthost.network.egress.errorslongcustom10Number of transmission errors.
8519.1.0truehosthost.network.egress.packetslongextendedThe number of packets sent on all network interfaces.
8529.1.0truehosthost.network.egress.queuelongcustom10Transmit queue length.
8539.1.0truehosthost.network.ingress.byteslongextendedThe number of bytes received on all network interfaces.
8549.1.0truehosthost.network.ingress.dropslongcustom10Number of dropped received packets.
8559.1.0truehosthost.network.ingress.errorslongcustom10Number of reception errors.
8569.1.0truehosthost.network.ingress.packetslongextendedThe number of packets received on all network interfaces.
8579.1.0truehosthost.network.ingress.queuelongcustom10Receive queue length.
8589.1.0truehosthost.os.familykeywordextendeddebianOS family (such as redhat, debian, freebsd, windows).
8599.1.0truehosthost.os.fullkeywordextendedMac OS MojaveOperating system name, including the version or code name.
8609.1.0truehosthost.os.kernelkeywordextended4.4.0-112-genericOperating system kernel version as a raw string.
8619.1.0truehosthost.os.namekeywordextendedMac OS XOperating system name, without the version.
8629.1.0truehosthost.os.platformkeywordextendeddarwinOperating system platform (such centos, ubuntu, windows).
8639.1.0truehosthost.os.typekeywordextendedmacosWhich commercial OS family (one of: linux, macos, unix, windows, ios or android).
8649.1.0truehosthost.os.versionkeywordextended10.14.1Operating system version as a raw string.
8659.1.0truehosthost.pid_ns_inokeywordextended256383Pid namespace inode
8669.1.0truehosthost.risk.calculated_levelkeywordextendedHighA risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
8679.1.0truehosthost.risk.calculated_scorefloatextended880.73A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
8689.1.0truehosthost.risk.calculated_score_normfloatextended88.73A normalized risk score calculated by an internal system.
8699.1.0truehosthost.risk.static_levelkeywordextendedHighA risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.
8709.1.0truehosthost.risk.static_scorefloatextended830.0A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.
8719.1.0truehosthost.risk.static_score_normfloatextended83.0A normalized risk score calculated by an external system.
8729.1.0truehosthost.typekeywordcoreType of host.
8739.1.0truehosthost.uptimelongextended1325Seconds the host has been up.
8749.1.0truehttphttp.request.body.byteslongextended887Size in bytes of the request body.
8759.1.0truehttphttp.request.body.contentkeywordextendedHello worldThe full HTTP request body.
8769.1.0truehttphttp.request.byteslongextended1437Total size in bytes of the request (body and headers).
8779.1.0truehttphttp.request.idkeywordextended123e4567-e89b-12d3-a456-426614174000HTTP request ID.
8789.1.0truehttphttp.request.methodkeywordextendedPOSTHTTP request method.
8799.1.0truehttphttp.request.mime_typekeywordextendedimage/gifMime type of the body of the request.
8809.1.0truehttphttp.request.referrerkeywordextendedhttps://blog.example.com/Referrer for this HTTP request.
8819.1.0truehttphttp.response.body.byteslongextended887Size in bytes of the response body.
8829.1.0truehttphttp.response.body.contentkeywordextendedHello worldThe full HTTP response body.
8839.1.0truehttphttp.response.byteslongextended1437Total size in bytes of the response (body and headers).
8849.1.0truehttphttp.response.mime_typekeywordextendedimage/gifMime type of the body of the response.
8859.1.0truehttphttp.response.status_codelongextended404HTTP response status code.
8869.1.0truehttphttp.versionkeywordextended1.1HTTP version.
8879.1.0trueinterfaceinterface.aliaskeywordextendedoutsideInterface alias
8889.1.0trueinterfaceinterface.idkeywordextended10Interface ID
8899.1.0trueinterfaceinterface.mtulongcustom1500Maximum transmission unit size.
8909.1.0trueinterfaceinterface.namekeywordextendedeth0Interface name
8919.1.0trueinterfaceinterface.statekeywordcustomupState of the network interface.
8929.1.0trueinterfaceinterface.typekeywordcustomethernetInterface type.
8939.1.0trueloglog.file.pathkeywordextended/var/log/fun-times.logFull path to the log file this event came from.
8949.1.0trueloglog.levelkeywordcoreerrorLog level of the log event.
8959.1.0trueloglog.loggerkeywordcoreorg.elasticsearch.bootstrap.BootstrapName of the logger.
8969.1.0trueloglog.origin.file.linelongextended42The line number of the file which originated the log event.
8979.1.0trueloglog.origin.file.namekeywordextendedBootstrap.javaThe code file which originated the log event.
8989.1.0trueloglog.origin.functionkeywordextendedinitThe function which originated the log event.
8999.1.0trueloglog.syslogobjectextendedSyslog metadata
9009.1.0trueloglog.syslog.appnamekeywordextendedsshdThe device or application that originated the Syslog message.
9019.1.0trueloglog.syslog.facility.codelongextended23Syslog numeric facility of the event.
9029.1.0trueloglog.syslog.facility.namekeywordextendedlocal7Syslog text-based facility of the event.
9039.1.0trueloglog.syslog.hostnamekeywordextendedexample-hostThe host that originated the Syslog message.
9049.1.0trueloglog.syslog.msgidkeywordextendedID47An identifier for the type of Syslog message.
9059.1.0trueloglog.syslog.prioritylongextended135Syslog priority of the event.
9069.1.0trueloglog.syslog.procidkeywordextended12345The process name or ID that originated the Syslog message.
9079.1.0trueloglog.syslog.severity.codelongextended3Syslog numeric severity of the event.
9089.1.0trueloglog.syslog.severity.namekeywordextendedErrorSyslog text-based severity of the event.
9099.1.0trueloglog.syslog.structured_dataflat_objectextendedStructured data expressed in RFC 5424 messages.
9109.1.0trueloglog.syslog.versionkeywordextended1Syslog protocol version.
9119.1.0truemetricsetmetricset.namekeywordcustomexample-nameSpecifies the name of the metric set in the GCP log
9129.1.0truemetricsetmetricset.periodlongcustom12345Indicates the period in milliseconds at which metrics are collected
9139.1.0truenetworknetwork.applicationkeywordextendedaimApplication level protocol name.
9149.1.0truenetworknetwork.broadcastipcustom192.168.0.255Broadcast address.
9159.1.0truenetworknetwork.byteslongcore368Total bytes transferred in both directions.
9169.1.0truenetworknetwork.community_idkeywordextended1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=A hash of source and destination IPs and ports.
9179.1.0truenetworknetwork.dhcpkeywordcustomenabledDHCP status (enabled, disabled, unknown, BOOTP).
9189.1.0truenetworknetwork.directionkeywordcoreinboundDirection of the network traffic.
9199.1.0truenetworknetwork.forwarded_ipipcore192.1.1.2Host IP address when the source IP address is the proxy.
9209.1.0truenetworknetwork.gatewayipcustom192.168.0.1Gateway address.
9219.1.0truenetworknetwork.iana_numberkeywordextended6IANA Protocol Number.
9229.1.0truenetworknetwork.innerobjectextendedInner VLAN tag information
9239.1.0truenetworknetwork.inner.vlan.idkeywordextended10VLAN ID as reported by the observer.
9249.1.0truenetworknetwork.inner.vlan.namekeywordextendedoutsideOptional VLAN name as reported by the observer.
9259.1.0truenetworknetwork.metriclongcustom15Metric of the network protocol.
9269.1.0truenetworknetwork.namekeywordextendedGuest WifiName given by operators to sections of their network.
9279.1.0truenetworknetwork.netmaskipcustom255.255.255.0Network mask
9289.1.0truenetworknetwork.packetslongcore24Total packets transferred in both directions.
9299.1.0truenetworknetwork.protocolkeywordcorehttpApplication protocol name.
9309.1.0truenetworknetwork.transportkeywordcoretcpProtocol Name corresponding to the field `iana_number`.
9319.1.0truenetworknetwork.typekeywordcoreipv4In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
9329.1.0truenetworknetwork.vlan.idkeywordextended10VLAN ID as reported by the observer.
9339.1.0truenetworknetwork.vlan.namekeywordextendedoutsideOptional VLAN name as reported by the observer.
9349.1.0trueobserverobserver.egressobjectextendedObject field for egress information
9359.1.0trueobserverobserver.egress.interface.aliaskeywordextendedoutsideInterface alias
9369.1.0trueobserverobserver.egress.interface.idkeywordextended10Interface ID
9379.1.0trueobserverobserver.egress.interface.mtulongcustom1500Maximum transmission unit size.
9389.1.0trueobserverobserver.egress.interface.namekeywordextendedeth0Interface name
9399.1.0trueobserverobserver.egress.interface.observer.ingress.interface.aliaskeywordextendedoutsideInterface alias
9409.1.0trueobserverobserver.egress.interface.observer.ingress.interface.idkeywordextended10Interface ID
9419.1.0trueobserverobserver.egress.interface.observer.ingress.interface.mtulongcustom1500Maximum transmission unit size.
9429.1.0trueobserverobserver.egress.interface.observer.ingress.interface.namekeywordextendedeth0Interface name
9439.1.0trueobserverobserver.egress.interface.observer.ingress.interface.statekeywordcustomupState of the network interface.
9449.1.0trueobserverobserver.egress.interface.observer.ingress.interface.typekeywordcustomethernetInterface type.
9459.1.0trueobserverobserver.egress.interface.statekeywordcustomupState of the network interface.
9469.1.0trueobserverobserver.egress.interface.typekeywordcustomethernetInterface type.
9479.1.0trueobserverobserver.egress.vlan.idkeywordextended10VLAN ID as reported by the observer.
9489.1.0trueobserverobserver.egress.vlan.namekeywordextendedoutsideOptional VLAN name as reported by the observer.
9499.1.0trueobserverobserver.egress.zonekeywordextendedPublic_InternetObserver Egress zone
9509.1.0trueobserverobserver.geo.city_namekeywordcoreMontrealCity name.
9519.1.0trueobserverobserver.geo.continent_codekeywordcoreNAContinent code.
9529.1.0trueobserverobserver.geo.continent_namekeywordcoreNorth AmericaName of the continent.
9539.1.0trueobserverobserver.geo.country_iso_codekeywordcoreCACountry ISO code.
9549.1.0trueobserverobserver.geo.country_namekeywordcoreCanadaCountry name.
9559.1.0trueobserverobserver.geo.locationgeo_pointcore{ "lon": -73.614830, "lat": 45.505918 }Longitude and latitude.
9569.1.0trueobserverobserver.geo.namekeywordextendedboston-dcUser-defined description of a location.
9579.1.0trueobserverobserver.geo.postal_codekeywordcore94040Postal code.
9589.1.0trueobserverobserver.geo.region_iso_codekeywordcoreCA-QCRegion ISO code.
9599.1.0trueobserverobserver.geo.region_namekeywordcoreQuebecRegion name.
9609.1.0trueobserverobserver.geo.timezonekeywordcoreAmerica/Argentina/Buenos_AiresTime zone.
9619.1.0trueobserverobserver.hostnamekeywordcoreHostname of the observer.
9629.1.0trueobserverobserver.ingressobjectextendedObject field for ingress information
9639.1.0trueobserverobserver.ingress.interface.aliaskeywordextendedoutsideInterface alias
9649.1.0trueobserverobserver.ingress.interface.idkeywordextended10Interface ID
9659.1.0trueobserverobserver.ingress.interface.mtulongcustom1500Maximum transmission unit size.
9669.1.0trueobserverobserver.ingress.interface.namekeywordextendedeth0Interface name
9679.1.0trueobserverobserver.ingress.interface.statekeywordcustomupState of the network interface.
9689.1.0trueobserverobserver.ingress.interface.typekeywordcustomethernetInterface type.
9699.1.0trueobserverobserver.ingress.vlan.idkeywordextended10VLAN ID as reported by the observer.
9709.1.0trueobserverobserver.ingress.vlan.namekeywordextendedoutsideOptional VLAN name as reported by the observer.
9719.1.0trueobserverobserver.ingress.zonekeywordextendedDMZObserver ingress zone
9729.1.0trueobserverobserver.ipipcorearrayIP addresses of the observer.
9739.1.0trueobserverobserver.mackeywordcorearray["00-00-5E-00-53-23", "00-00-5E-00-53-24"]MAC addresses of the observer.
9749.1.0trueobserverobserver.namekeywordextended1_proxySGCustom name of the observer.
9759.1.0trueobserverobserver.os.familykeywordextendeddebianOS family (such as redhat, debian, freebsd, windows).
9769.1.0trueobserverobserver.os.fullkeywordextendedMac OS MojaveOperating system name, including the version or code name.
9779.1.0trueobserverobserver.os.kernelkeywordextended4.4.0-112-genericOperating system kernel version as a raw string.
9789.1.0trueobserverobserver.os.namekeywordextendedMac OS XOperating system name, without the version.
9799.1.0trueobserverobserver.os.platformkeywordextendeddarwinOperating system platform (such centos, ubuntu, windows).
9809.1.0trueobserverobserver.os.typekeywordextendedmacosWhich commercial OS family (one of: linux, macos, unix, windows, ios or android).
9819.1.0trueobserverobserver.os.versionkeywordextended10.14.1Operating system version as a raw string.
9829.1.0trueobserverobserver.productkeywordextendeds200The product name of the observer.
9839.1.0trueobserverobserver.serial_numberkeywordextendedObserver serial number.
9849.1.0trueobserverobserver.typekeywordcorefirewallThe type of the observer the data is coming from.
9859.1.0trueobserverobserver.vendorkeywordcoreSymantecVendor name of the observer.
9869.1.0trueobserverobserver.versionkeywordcoreObserver version.
9879.1.0trueorchestratororchestrator.api_versionkeywordextendedv1beta1API version being used to carry out the action
9889.1.0trueorchestratororchestrator.cluster.idkeywordextendedUnique ID of the cluster.
9899.1.0trueorchestratororchestrator.cluster.namekeywordextendedName of the cluster.
9909.1.0trueorchestratororchestrator.cluster.urlkeywordextendedURL of the API used to manage the cluster.
9919.1.0trueorchestratororchestrator.cluster.versionkeywordextendedThe version of the cluster.
9929.1.0trueorchestratororchestrator.namespacekeywordextendedkube-systemNamespace in which the action is taking place.
9939.1.0trueorchestratororchestrator.organizationkeywordextendedelasticOrganization affected by the event (for multi-tenant orchestrator setups).
9949.1.0trueorchestratororchestrator.resource.annotationkeywordextendedarray['key1:value1', 'key2:value2', 'key3:value3']The list of annotations added to the resource.
9959.1.0trueorchestratororchestrator.resource.idkeywordextendedUnique ID of the resource being acted upon.
9969.1.0trueorchestratororchestrator.resource.ipipextendedarrayIP address assigned to the resource associated with the event being observed.
9979.1.0trueorchestratororchestrator.resource.labelkeywordextendedarray['key1:value1', 'key2:value2', 'key3:value3']The list of labels added to the resource.
9989.1.0trueorchestratororchestrator.resource.namekeywordextendedtest-pod-cdcwsName of the resource being acted upon.
9999.1.0trueorchestratororchestrator.resource.parent.typekeywordextendedDaemonSetType or kind of the parent resource associated with the event being observed.
10009.1.0trueorchestratororchestrator.resource.typekeywordextendedserviceType of resource being acted upon.
10019.1.0trueorchestratororchestrator.typekeywordextendedkubernetesOrchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
10029.1.0trueorganizationorganization.idkeywordextendedUnique identifier for the organization.
10039.1.0trueorganizationorganization.namekeywordextendedOrganization name.
10049.1.0truepackagepackage.architecturekeywordextendedx86_64Package architecture.
10059.1.0truepackagepackage.build_versionkeywordextended36f4f7e89dd61b0988b12ee000b98966867710cdBuild version information
10069.1.0truepackagepackage.checksumkeywordextended68b329da9893e34099c7d8ad5cb9c940Checksum of the installed package for verification.
10079.1.0truepackagepackage.descriptionkeywordextendedOpen source programming language to build simple/reliable/efficient software.Description of the package.
10089.1.0truepackagepackage.install_scopekeywordextendedglobalIndicating how the package was installed, e.g. user-local, global.
10099.1.0truepackagepackage.installeddateextendedTime when package was installed.
10109.1.0truepackagepackage.licensekeywordextendedApache License 2.0Package license
10119.1.0truepackagepackage.namekeywordextendedgoPackage name
10129.1.0truepackagepackage.pathkeywordextended/usr/local/Cellar/go/1.12.9/Path where the package is installed.
10139.1.0truepackagepackage.referencekeywordextendedhttps://golang.orgPackage home page or reference URL
10149.1.0truepackagepackage.sizelongextended62231Package size in bytes.
10159.1.0truepackagepackage.typekeywordextendedrpmPackage type
10169.1.0truepackagepackage.versionkeywordextended1.12.9Package version
10179.1.0truepolicypolicy.descriptionkeywordcustom"The CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 is a comprehensive security configuration guide that provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Windows 11 Enterprise."Extended description of the policy.
10189.1.0truepolicypolicy.filekeywordcustomcis_win11_enterprise.ymlThe file name of the SCA policy.
10199.1.0truepolicypolicy.idkeywordcustomcis_win11_enterprise_21H2The ID of the SCA policy.
10209.1.0truepolicypolicy.namekeywordcustomCIS Microsoft Windows 11 Enterprise Benchmark v1.0.0The name of the SCA policy.
10219.1.0truepolicypolicy.referenceskeywordcustomarray["https://www.cisecurity.org/cis-benchmarks/"]References for the policy.
10229.1.0trueprocessprocess.argskeywordextendedarray["/usr/bin/ssh", "-l", "user", "10.0.0.16"]Array of process arguments.
10239.1.0trueprocessprocess.args_countlongextended4Length of the process.args array.
10249.1.0trueprocessprocess.code_signature.digest_algorithmkeywordextendedsha256Hashing algorithm used to sign the process.
10259.1.0trueprocessprocess.code_signature.existsbooleancoretrueBoolean to capture if a signature is present.
10269.1.0trueprocessprocess.code_signature.flagskeywordextended570522385Code signing flags of the process
10279.1.0trueprocessprocess.code_signature.signing_idkeywordextendedcom.apple.xpc.proxyThe identifier used to sign the process.
10289.1.0trueprocessprocess.code_signature.statuskeywordextendedERROR_UNTRUSTED_ROOTAdditional information about the certificate status.
10299.1.0trueprocessprocess.code_signature.subject_namekeywordcoreMicrosoft CorporationSubject name of the code signer
10309.1.0trueprocessprocess.code_signature.team_idkeywordextendedEQHXZ8M8AVThe team identifier used to sign the process.
10319.1.0trueprocessprocess.code_signature.thumbprint_sha256keywordextendedc0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476bSHA256 hash of the certificate.
10329.1.0trueprocessprocess.code_signature.timestampdateextended2021-01-01T12:10:30ZWhen the signature was generated and signed.
10339.1.0trueprocessprocess.code_signature.trustedbooleanextendedtrueStores the trust status of the certificate chain.
10349.1.0trueprocessprocess.code_signature.validbooleanextendedtrueBoolean to capture if the digital signature is verified against the binary content.
10359.1.0trueprocessprocess.command_linekeywordextended/usr/bin/ssh -l user 10.0.0.16Full command line that started the process.
10369.1.0trueprocessprocess.elf.architecturekeywordextendedx86-64Machine architecture of the ELF file.
10379.1.0trueprocessprocess.elf.byte_orderkeywordextendedLittle EndianByte sequence of ELF file.
10389.1.0trueprocessprocess.elf.cpu_typekeywordextendedIntelCPU type of the ELF file.
10399.1.0trueprocessprocess.elf.creation_datedateextendedBuild or compile date.
10409.1.0trueprocessprocess.elf.exportsflat_objectextendedarrayList of exported element names and types.
10419.1.0trueprocessprocess.elf.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in an ELF file.
10429.1.0trueprocessprocess.elf.go_importsflat_objectextendedList of imported Go language element names and types.
10439.1.0trueprocessprocess.elf.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
10449.1.0trueprocessprocess.elf.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
10459.1.0trueprocessprocess.elf.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
10469.1.0trueprocessprocess.elf.header.abi_versionkeywordextendedVersion of the ELF Application Binary Interface (ABI).
10479.1.0trueprocessprocess.elf.header.classkeywordextendedHeader class of the ELF file.
10489.1.0trueprocessprocess.elf.header.datakeywordextendedData table of the ELF header.
10499.1.0trueprocessprocess.elf.header.entrypointlongextendedHeader entrypoint of the ELF file.
10509.1.0trueprocessprocess.elf.header.object_versionkeywordextended"0x1" for original ELF files.
10519.1.0trueprocessprocess.elf.header.os_abikeywordextendedApplication Binary Interface (ABI) of the Linux OS.
10529.1.0trueprocessprocess.elf.header.typekeywordextendedHeader type of the ELF file.
10539.1.0trueprocessprocess.elf.header.versionkeywordextendedVersion of the ELF header.
10549.1.0trueprocessprocess.elf.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in an ELF file.
10559.1.0trueprocessprocess.elf.importsflat_objectextendedarrayList of imported element names and types.
10569.1.0trueprocessprocess.elf.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
10579.1.0trueprocessprocess.elf.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
10589.1.0trueprocessprocess.elf.sectionsnestedextendedarraySection information of the ELF file.
10599.1.0trueprocessprocess.elf.sections.chi2longextendedChi-square probability distribution of the section.
10609.1.0trueprocessprocess.elf.sections.entropylongextendedShannon entropy calculation from the section.
10619.1.0trueprocessprocess.elf.sections.flagskeywordextendedELF Section List flags.
10629.1.0trueprocessprocess.elf.sections.namekeywordextendedELF Section List name.
10639.1.0trueprocessprocess.elf.sections.physical_offsetkeywordextendedELF Section List offset.
10649.1.0trueprocessprocess.elf.sections.physical_sizelongextendedELF Section List physical size.
10659.1.0trueprocessprocess.elf.sections.typekeywordextendedELF Section List type.
10669.1.0trueprocessprocess.elf.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
10679.1.0trueprocessprocess.elf.sections.virtual_addresslongextendedELF Section List virtual address.
10689.1.0trueprocessprocess.elf.sections.virtual_sizelongextendedELF Section List virtual size.
10699.1.0trueprocessprocess.elf.segmentsnestedextendedarrayELF object segment list.
10709.1.0trueprocessprocess.elf.segments.sectionskeywordextendedELF object segment sections.
10719.1.0trueprocessprocess.elf.segments.typekeywordextendedELF object segment type.
10729.1.0trueprocessprocess.elf.shared_librarieskeywordextendedarrayList of shared libraries used by this ELF object.
10739.1.0trueprocessprocess.elf.telfhashkeywordextendedtelfhash hash for ELF file.
10749.1.0trueprocessprocess.enddateextended2016-05-23T08:05:34.853ZThe time the process ended.
10759.1.0trueprocessprocess.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
10769.1.0trueprocessprocess.entry_leader.argskeywordextendedarray["/usr/bin/ssh", "-l", "user", "10.0.0.16"]Array of process arguments.
10779.1.0trueprocessprocess.entry_leader.args_countlongextended4Length of the process.args array.
10789.1.0trueprocessprocess.entry_leader.attested_groups.namekeywordextendedName of the group.
10799.1.0trueprocessprocess.entry_leader.attested_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
10809.1.0trueprocessprocess.entry_leader.attested_user.namekeywordcorea.einsteinShort name or login of the user.
10819.1.0trueprocessprocess.entry_leader.command_linekeywordextended/usr/bin/ssh -l user 10.0.0.16Full command line that started the process.
10829.1.0trueprocessprocess.entry_leader.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
10839.1.0trueprocessprocess.entry_leader.entry_meta.source.ipipcoreIP address of the source.
10849.1.0trueprocessprocess.entry_leader.entry_meta.typekeywordextendedThe entry type for the entry session leader.
10859.1.0trueprocessprocess.entry_leader.executablekeywordextended/usr/bin/sshAbsolute path to the process executable.
10869.1.0trueprocessprocess.entry_leader.group.idkeywordextendedUnique identifier for the group on the system/platform.
10879.1.0trueprocessprocess.entry_leader.group.namekeywordextendedName of the group.
10889.1.0trueprocessprocess.entry_leader.interactivebooleanextendedTrueWhether the process is connected to an interactive shell.
10899.1.0trueprocessprocess.entry_leader.namekeywordextendedsshProcess name.
10909.1.0trueprocessprocess.entry_leader.parent.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
10919.1.0trueprocessprocess.entry_leader.parent.pidlongcore4242Process id.
10929.1.0trueprocessprocess.entry_leader.parent.session_leader.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
10939.1.0trueprocessprocess.entry_leader.parent.session_leader.pidlongcore4242Process id.
10949.1.0trueprocessprocess.entry_leader.parent.session_leader.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
10959.1.0trueprocessprocess.entry_leader.parent.session_leader.vpidlongcore4242Virtual process id.
10969.1.0trueprocessprocess.entry_leader.parent.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
10979.1.0trueprocessprocess.entry_leader.parent.vpidlongcore4242Virtual process id.
10989.1.0trueprocessprocess.entry_leader.pidlongcore4242Process id.
10999.1.0trueprocessprocess.entry_leader.real_group.idkeywordextendedUnique identifier for the group on the system/platform.
11009.1.0trueprocessprocess.entry_leader.real_group.namekeywordextendedName of the group.
11019.1.0trueprocessprocess.entry_leader.real_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
11029.1.0trueprocessprocess.entry_leader.real_user.namekeywordcorea.einsteinShort name or login of the user.
11039.1.0trueprocessprocess.entry_leader.same_as_processbooleanextendedTrueThis boolean is used to identify if a leader process is the same as the top level process.
11049.1.0trueprocessprocess.entry_leader.saved_group.idkeywordextendedUnique identifier for the group on the system/platform.
11059.1.0trueprocessprocess.entry_leader.saved_group.namekeywordextendedName of the group.
11069.1.0trueprocessprocess.entry_leader.saved_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
11079.1.0trueprocessprocess.entry_leader.saved_user.namekeywordcorea.einsteinShort name or login of the user.
11089.1.0trueprocessprocess.entry_leader.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
11099.1.0trueprocessprocess.entry_leader.supplemental_groups.idkeywordextendedUnique identifier for the group on the system/platform.
11109.1.0trueprocessprocess.entry_leader.supplemental_groups.namekeywordextendedName of the group.
11119.1.0trueprocessprocess.entry_leader.ttyobjectextendedInformation about the controlling TTY device.
11129.1.0trueprocessprocess.entry_leader.tty.char_device.majorlongextended4The TTY character device's major number.
11139.1.0trueprocessprocess.entry_leader.tty.char_device.minorlongextended1The TTY character device's minor number.
11149.1.0trueprocessprocess.entry_leader.user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
11159.1.0trueprocessprocess.entry_leader.user.namekeywordcorea.einsteinShort name or login of the user.
11169.1.0trueprocessprocess.entry_leader.vpidlongcore4242Virtual process id.
11179.1.0trueprocessprocess.entry_leader.working_directorykeywordextended/home/aliceThe working directory of the process.
11189.1.0trueprocessprocess.env_varskeywordextendedarray["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]Array of environment variable bindings.
11199.1.0trueprocessprocess.executablekeywordextended/usr/bin/sshAbsolute path to the process executable.
11209.1.0trueprocessprocess.exit_codelongextended137The exit code of the process.
11219.1.0trueprocessprocess.group.idkeywordextendedUnique identifier for the group on the system/platform.
11229.1.0trueprocessprocess.group.namekeywordextendedName of the group.
11239.1.0trueprocessprocess.group_leader.argskeywordextendedarray["/usr/bin/ssh", "-l", "user", "10.0.0.16"]Array of process arguments.
11249.1.0trueprocessprocess.group_leader.args_countlongextended4Length of the process.args array.
11259.1.0trueprocessprocess.group_leader.command_linekeywordextended/usr/bin/ssh -l user 10.0.0.16Full command line that started the process.
11269.1.0trueprocessprocess.group_leader.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
11279.1.0trueprocessprocess.group_leader.executablekeywordextended/usr/bin/sshAbsolute path to the process executable.
11289.1.0trueprocessprocess.group_leader.group.idkeywordextendedUnique identifier for the group on the system/platform.
11299.1.0trueprocessprocess.group_leader.group.namekeywordextendedName of the group.
11309.1.0trueprocessprocess.group_leader.interactivebooleanextendedTrueWhether the process is connected to an interactive shell.
11319.1.0trueprocessprocess.group_leader.namekeywordextendedsshProcess name.
11329.1.0trueprocessprocess.group_leader.pidlongcore4242Process id.
11339.1.0trueprocessprocess.group_leader.real_group.idkeywordextendedUnique identifier for the group on the system/platform.
11349.1.0trueprocessprocess.group_leader.real_group.namekeywordextendedName of the group.
11359.1.0trueprocessprocess.group_leader.real_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
11369.1.0trueprocessprocess.group_leader.real_user.namekeywordcorea.einsteinShort name or login of the user.
11379.1.0trueprocessprocess.group_leader.same_as_processbooleanextendedTrueThis boolean is used to identify if a leader process is the same as the top level process.
11389.1.0trueprocessprocess.group_leader.saved_group.idkeywordextendedUnique identifier for the group on the system/platform.
11399.1.0trueprocessprocess.group_leader.saved_group.namekeywordextendedName of the group.
11409.1.0trueprocessprocess.group_leader.saved_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
11419.1.0trueprocessprocess.group_leader.saved_user.namekeywordcorea.einsteinShort name or login of the user.
11429.1.0trueprocessprocess.group_leader.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
11439.1.0trueprocessprocess.group_leader.supplemental_groups.idkeywordextendedUnique identifier for the group on the system/platform.
11449.1.0trueprocessprocess.group_leader.supplemental_groups.namekeywordextendedName of the group.
11459.1.0trueprocessprocess.group_leader.ttyobjectextendedInformation about the controlling TTY device.
11469.1.0trueprocessprocess.group_leader.tty.char_device.majorlongextended4The TTY character device's major number.
11479.1.0trueprocessprocess.group_leader.tty.char_device.minorlongextended1The TTY character device's minor number.
11489.1.0trueprocessprocess.group_leader.user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
11499.1.0trueprocessprocess.group_leader.user.namekeywordcorea.einsteinShort name or login of the user.
11509.1.0trueprocessprocess.group_leader.vpidlongcore4242Virtual process id.
11519.1.0trueprocessprocess.group_leader.working_directorykeywordextended/home/aliceThe working directory of the process.
11529.1.0trueprocessprocess.hash.cdhashkeywordextended3783b4052fd474dbe30676b45c329e7a6d44acd9The Code Directory (CD) hash of an executable.
11539.1.0trueprocessprocess.hash.md5keywordextendedMD5 hash.
11549.1.0trueprocessprocess.hash.sha1keywordextendedSHA1 hash.
11559.1.0trueprocessprocess.hash.sha256keywordextendedSHA256 hash.
11569.1.0trueprocessprocess.hash.sha384keywordextendedSHA384 hash.
11579.1.0trueprocessprocess.hash.sha512keywordextendedSHA512 hash.
11589.1.0trueprocessprocess.hash.ssdeepkeywordextendedSSDEEP hash.
11599.1.0trueprocessprocess.hash.tlshkeywordextendedTLSH hash.
11609.1.0trueprocessprocess.interactivebooleanextendedTrueWhether the process is connected to an interactive shell.
11619.1.0trueprocessprocess.ioobjectextendedA chunk of input or output (IO) from a single process.
11629.1.0trueprocessprocess.io.bytes_skippedobjectextendedarrayAn array of byte offsets and lengths denoting where IO data has been skipped.
11639.1.0trueprocessprocess.io.bytes_skipped.lengthlongextendedThe length of bytes skipped.
11649.1.0trueprocessprocess.io.bytes_skipped.offsetlongextendedThe byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
11659.1.0trueprocessprocess.io.max_bytes_per_process_exceededbooleanextendedIf true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting.
11669.1.0trueprocessprocess.io.textkeywordextendedA chunk of output or input sanitized to UTF-8.
11679.1.0trueprocessprocess.io.total_bytes_capturedlongextendedThe total number of bytes captured in this event.
11689.1.0trueprocessprocess.io.total_bytes_skippedlongextendedThe total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
11699.1.0trueprocessprocess.io.typekeywordextendedThe type of object on which the IO action (read or write) was taken.
11709.1.0trueprocessprocess.macho.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in a Mach-O file.
11719.1.0trueprocessprocess.macho.go_importsflat_objectextendedList of imported Go language element names and types.
11729.1.0trueprocessprocess.macho.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
11739.1.0trueprocessprocess.macho.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
11749.1.0trueprocessprocess.macho.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
11759.1.0trueprocessprocess.macho.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in a Mach-O file.
11769.1.0trueprocessprocess.macho.importsflat_objectextendedarrayList of imported element names and types.
11779.1.0trueprocessprocess.macho.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
11789.1.0trueprocessprocess.macho.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
11799.1.0trueprocessprocess.macho.sectionsnestedextendedarraySection information of the Mach-O file.
11809.1.0trueprocessprocess.macho.sections.entropylongextendedShannon entropy calculation from the section.
11819.1.0trueprocessprocess.macho.sections.namekeywordextendedMach-O Section List name.
11829.1.0trueprocessprocess.macho.sections.physical_sizelongextendedMach-O Section List physical size.
11839.1.0trueprocessprocess.macho.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
11849.1.0trueprocessprocess.macho.sections.virtual_sizelongextendedMach-O Section List virtual size. This is always the same as `physical_size`.
11859.1.0trueprocessprocess.macho.symhashkeywordextendedd3ccf195b62a9279c3c19af1080497ecA hash of the imports in a Mach-O file.
11869.1.0trueprocessprocess.namekeywordextendedsshProcess name.
11879.1.0trueprocessprocess.parent.argskeywordextendedarray["/usr/bin/ssh", "-l", "user", "10.0.0.16"]Array of process arguments.
11889.1.0trueprocessprocess.parent.args_countlongextended4Length of the process.args array.
11899.1.0trueprocessprocess.parent.code_signature.digest_algorithmkeywordextendedsha256Hashing algorithm used to sign the process.
11909.1.0trueprocessprocess.parent.code_signature.existsbooleancoretrueBoolean to capture if a signature is present.
11919.1.0trueprocessprocess.parent.code_signature.flagskeywordextended570522385Code signing flags of the process
11929.1.0trueprocessprocess.parent.code_signature.signing_idkeywordextendedcom.apple.xpc.proxyThe identifier used to sign the process.
11939.1.0trueprocessprocess.parent.code_signature.statuskeywordextendedERROR_UNTRUSTED_ROOTAdditional information about the certificate status.
11949.1.0trueprocessprocess.parent.code_signature.subject_namekeywordcoreMicrosoft CorporationSubject name of the code signer
11959.1.0trueprocessprocess.parent.code_signature.team_idkeywordextendedEQHXZ8M8AVThe team identifier used to sign the process.
11969.1.0trueprocessprocess.parent.code_signature.thumbprint_sha256keywordextendedc0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476bSHA256 hash of the certificate.
11979.1.0trueprocessprocess.parent.code_signature.timestampdateextended2021-01-01T12:10:30ZWhen the signature was generated and signed.
11989.1.0trueprocessprocess.parent.code_signature.trustedbooleanextendedtrueStores the trust status of the certificate chain.
11999.1.0trueprocessprocess.parent.code_signature.validbooleanextendedtrueBoolean to capture if the digital signature is verified against the binary content.
12009.1.0trueprocessprocess.parent.command_linekeywordextended/usr/bin/ssh -l user 10.0.0.16Full command line that started the process.
12019.1.0trueprocessprocess.parent.elf.architecturekeywordextendedx86-64Machine architecture of the ELF file.
12029.1.0trueprocessprocess.parent.elf.byte_orderkeywordextendedLittle EndianByte sequence of ELF file.
12039.1.0trueprocessprocess.parent.elf.cpu_typekeywordextendedIntelCPU type of the ELF file.
12049.1.0trueprocessprocess.parent.elf.creation_datedateextendedBuild or compile date.
12059.1.0trueprocessprocess.parent.elf.exportsflat_objectextendedarrayList of exported element names and types.
12069.1.0trueprocessprocess.parent.elf.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in an ELF file.
12079.1.0trueprocessprocess.parent.elf.go_importsflat_objectextendedList of imported Go language element names and types.
12089.1.0trueprocessprocess.parent.elf.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
12099.1.0trueprocessprocess.parent.elf.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
12109.1.0trueprocessprocess.parent.elf.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
12119.1.0trueprocessprocess.parent.elf.header.abi_versionkeywordextendedVersion of the ELF Application Binary Interface (ABI).
12129.1.0trueprocessprocess.parent.elf.header.classkeywordextendedHeader class of the ELF file.
12139.1.0trueprocessprocess.parent.elf.header.datakeywordextendedData table of the ELF header.
12149.1.0trueprocessprocess.parent.elf.header.entrypointlongextendedHeader entrypoint of the ELF file.
12159.1.0trueprocessprocess.parent.elf.header.object_versionkeywordextended"0x1" for original ELF files.
12169.1.0trueprocessprocess.parent.elf.header.os_abikeywordextendedApplication Binary Interface (ABI) of the Linux OS.
12179.1.0trueprocessprocess.parent.elf.header.typekeywordextendedHeader type of the ELF file.
12189.1.0trueprocessprocess.parent.elf.header.versionkeywordextendedVersion of the ELF header.
12199.1.0trueprocessprocess.parent.elf.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in an ELF file.
12209.1.0trueprocessprocess.parent.elf.importsflat_objectextendedarrayList of imported element names and types.
12219.1.0trueprocessprocess.parent.elf.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
12229.1.0trueprocessprocess.parent.elf.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
12239.1.0trueprocessprocess.parent.elf.sectionsnestedextendedarraySection information of the ELF file.
12249.1.0trueprocessprocess.parent.elf.sections.chi2longextendedChi-square probability distribution of the section.
12259.1.0trueprocessprocess.parent.elf.sections.entropylongextendedShannon entropy calculation from the section.
12269.1.0trueprocessprocess.parent.elf.sections.flagskeywordextendedELF Section List flags.
12279.1.0trueprocessprocess.parent.elf.sections.namekeywordextendedELF Section List name.
12289.1.0trueprocessprocess.parent.elf.sections.physical_offsetkeywordextendedELF Section List offset.
12299.1.0trueprocessprocess.parent.elf.sections.physical_sizelongextendedELF Section List physical size.
12309.1.0trueprocessprocess.parent.elf.sections.typekeywordextendedELF Section List type.
12319.1.0trueprocessprocess.parent.elf.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
12329.1.0trueprocessprocess.parent.elf.sections.virtual_addresslongextendedELF Section List virtual address.
12339.1.0trueprocessprocess.parent.elf.sections.virtual_sizelongextendedELF Section List virtual size.
12349.1.0trueprocessprocess.parent.elf.segmentsnestedextendedarrayELF object segment list.
12359.1.0trueprocessprocess.parent.elf.segments.sectionskeywordextendedELF object segment sections.
12369.1.0trueprocessprocess.parent.elf.segments.typekeywordextendedELF object segment type.
12379.1.0trueprocessprocess.parent.elf.shared_librarieskeywordextendedarrayList of shared libraries used by this ELF object.
12389.1.0trueprocessprocess.parent.elf.telfhashkeywordextendedtelfhash hash for ELF file.
12399.1.0trueprocessprocess.parent.enddateextended2016-05-23T08:05:34.853ZThe time the process ended.
12409.1.0trueprocessprocess.parent.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
12419.1.0trueprocessprocess.parent.executablekeywordextended/usr/bin/sshAbsolute path to the process executable.
12429.1.0trueprocessprocess.parent.exit_codelongextended137The exit code of the process.
12439.1.0trueprocessprocess.parent.group.idkeywordextendedUnique identifier for the group on the system/platform.
12449.1.0trueprocessprocess.parent.group.namekeywordextendedName of the group.
12459.1.0trueprocessprocess.parent.group_leader.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
12469.1.0trueprocessprocess.parent.group_leader.pidlongcore4242Process id.
12479.1.0trueprocessprocess.parent.group_leader.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
12489.1.0trueprocessprocess.parent.group_leader.vpidlongcore4242Virtual process id.
12499.1.0trueprocessprocess.parent.hash.cdhashkeywordextended3783b4052fd474dbe30676b45c329e7a6d44acd9The Code Directory (CD) hash of an executable.
12509.1.0trueprocessprocess.parent.hash.md5keywordextendedMD5 hash.
12519.1.0trueprocessprocess.parent.hash.sha1keywordextendedSHA1 hash.
12529.1.0trueprocessprocess.parent.hash.sha256keywordextendedSHA256 hash.
12539.1.0trueprocessprocess.parent.hash.sha384keywordextendedSHA384 hash.
12549.1.0trueprocessprocess.parent.hash.sha512keywordextendedSHA512 hash.
12559.1.0trueprocessprocess.parent.hash.ssdeepkeywordextendedSSDEEP hash.
12569.1.0trueprocessprocess.parent.hash.tlshkeywordextendedTLSH hash.
12579.1.0trueprocessprocess.parent.interactivebooleanextendedTrueWhether the process is connected to an interactive shell.
12589.1.0trueprocessprocess.parent.macho.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in a Mach-O file.
12599.1.0trueprocessprocess.parent.macho.go_importsflat_objectextendedList of imported Go language element names and types.
12609.1.0trueprocessprocess.parent.macho.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
12619.1.0trueprocessprocess.parent.macho.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
12629.1.0trueprocessprocess.parent.macho.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
12639.1.0trueprocessprocess.parent.macho.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in a Mach-O file.
12649.1.0trueprocessprocess.parent.macho.importsflat_objectextendedarrayList of imported element names and types.
12659.1.0trueprocessprocess.parent.macho.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
12669.1.0trueprocessprocess.parent.macho.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
12679.1.0trueprocessprocess.parent.macho.sectionsnestedextendedarraySection information of the Mach-O file.
12689.1.0trueprocessprocess.parent.macho.sections.entropylongextendedShannon entropy calculation from the section.
12699.1.0trueprocessprocess.parent.macho.sections.namekeywordextendedMach-O Section List name.
12709.1.0trueprocessprocess.parent.macho.sections.physical_sizelongextendedMach-O Section List physical size.
12719.1.0trueprocessprocess.parent.macho.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
12729.1.0trueprocessprocess.parent.macho.sections.virtual_sizelongextendedMach-O Section List virtual size. This is always the same as `physical_size`.
12739.1.0trueprocessprocess.parent.macho.symhashkeywordextendedd3ccf195b62a9279c3c19af1080497ecA hash of the imports in a Mach-O file.
12749.1.0trueprocessprocess.parent.namekeywordextendedsshProcess name.
12759.1.0trueprocessprocess.parent.pe.architecturekeywordextendedx64CPU architecture target for the file.
12769.1.0trueprocessprocess.parent.pe.companykeywordextendedMicrosoft CorporationInternal company name of the file, provided at compile-time.
12779.1.0trueprocessprocess.parent.pe.descriptionkeywordextendedPaintInternal description of the file, provided at compile-time.
12789.1.0trueprocessprocess.parent.pe.file_versionkeywordextended6.3.9600.17415Process name.
12799.1.0trueprocessprocess.parent.pe.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in a PE file.
12809.1.0trueprocessprocess.parent.pe.go_importsflat_objectextendedList of imported Go language element names and types.
12819.1.0trueprocessprocess.parent.pe.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
12829.1.0trueprocessprocess.parent.pe.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
12839.1.0trueprocessprocess.parent.pe.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
12849.1.0trueprocessprocess.parent.pe.imphashkeywordextended0c6803c4e922103c4dca5963aad36ddfA hash of the imports in a PE file.
12859.1.0trueprocessprocess.parent.pe.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in a PE file.
12869.1.0trueprocessprocess.parent.pe.importsflat_objectextendedarrayList of imported element names and types.
12879.1.0trueprocessprocess.parent.pe.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
12889.1.0trueprocessprocess.parent.pe.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
12899.1.0trueprocessprocess.parent.pe.original_file_namekeywordextendedMSPAINT.EXEInternal name of the file, provided at compile-time.
12909.1.0trueprocessprocess.parent.pe.pehashkeywordextended73ff189b63cd6be375a7ff25179a38d347651975A hash of the PE header and data from one or more PE sections.
12919.1.0trueprocessprocess.parent.pe.productkeywordextendedMicrosoft® Windows® Operating SystemInternal product name of the file, provided at compile-time.
12929.1.0trueprocessprocess.parent.pe.sectionsnestedextendedarraySection information of the PE file.
12939.1.0trueprocessprocess.parent.pe.sections.entropylongextendedShannon entropy calculation from the section.
12949.1.0trueprocessprocess.parent.pe.sections.namekeywordextendedPE Section List name.
12959.1.0trueprocessprocess.parent.pe.sections.physical_sizelongextendedPE Section List physical size.
12969.1.0trueprocessprocess.parent.pe.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
12979.1.0trueprocessprocess.parent.pe.sections.virtual_sizelongextendedPE Section List virtual size. This is always the same as `physical_size`.
12989.1.0trueprocessprocess.parent.pidlongcore4242Process id.
12999.1.0trueprocessprocess.parent.real_group.idkeywordextendedUnique identifier for the group on the system/platform.
13009.1.0trueprocessprocess.parent.real_group.namekeywordextendedName of the group.
13019.1.0trueprocessprocess.parent.real_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
13029.1.0trueprocessprocess.parent.real_user.namekeywordcorea.einsteinShort name or login of the user.
13039.1.0trueprocessprocess.parent.saved_group.idkeywordextendedUnique identifier for the group on the system/platform.
13049.1.0trueprocessprocess.parent.saved_group.namekeywordextendedName of the group.
13059.1.0trueprocessprocess.parent.saved_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
13069.1.0trueprocessprocess.parent.saved_user.namekeywordcorea.einsteinShort name or login of the user.
13079.1.0trueprocessprocess.parent.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
13089.1.0trueprocessprocess.parent.supplemental_groups.idkeywordextendedUnique identifier for the group on the system/platform.
13099.1.0trueprocessprocess.parent.supplemental_groups.namekeywordextendedName of the group.
13109.1.0trueprocessprocess.parent.thread.capabilities.effectivekeywordextendedarray["CAP_BPF", "CAP_SYS_ADMIN"]Array of capabilities used for permission checks.
13119.1.0trueprocessprocess.parent.thread.capabilities.permittedkeywordextendedarray["CAP_BPF", "CAP_SYS_ADMIN"]Array of capabilities a thread could assume.
13129.1.0trueprocessprocess.parent.thread.idlongextended4242Thread ID.
13139.1.0trueprocessprocess.parent.thread.namekeywordextendedthread-0Thread name.
13149.1.0trueprocessprocess.parent.titlekeywordextendedProcess title.
13159.1.0trueprocessprocess.parent.ttyobjectextendedInformation about the controlling TTY device.
13169.1.0trueprocessprocess.parent.tty.char_device.majorlongextended4The TTY character device's major number.
13179.1.0trueprocessprocess.parent.tty.char_device.minorlongextended1The TTY character device's minor number.
13189.1.0trueprocessprocess.parent.uptimelongextended1325Seconds the process has been up.
13199.1.0trueprocessprocess.parent.user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
13209.1.0trueprocessprocess.parent.user.namekeywordcorea.einsteinShort name or login of the user.
13219.1.0trueprocessprocess.parent.vpidlongcore4242Virtual process id.
13229.1.0trueprocessprocess.parent.working_directorykeywordextended/home/aliceThe working directory of the process.
13239.1.0trueprocessprocess.pe.architecturekeywordextendedx64CPU architecture target for the file.
13249.1.0trueprocessprocess.pe.companykeywordextendedMicrosoft CorporationInternal company name of the file, provided at compile-time.
13259.1.0trueprocessprocess.pe.descriptionkeywordextendedPaintInternal description of the file, provided at compile-time.
13269.1.0trueprocessprocess.pe.file_versionkeywordextended6.3.9600.17415Process name.
13279.1.0trueprocessprocess.pe.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in a PE file.
13289.1.0trueprocessprocess.pe.go_importsflat_objectextendedList of imported Go language element names and types.
13299.1.0trueprocessprocess.pe.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
13309.1.0trueprocessprocess.pe.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
13319.1.0trueprocessprocess.pe.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
13329.1.0trueprocessprocess.pe.imphashkeywordextended0c6803c4e922103c4dca5963aad36ddfA hash of the imports in a PE file.
13339.1.0trueprocessprocess.pe.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in a PE file.
13349.1.0trueprocessprocess.pe.importsflat_objectextendedarrayList of imported element names and types.
13359.1.0trueprocessprocess.pe.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
13369.1.0trueprocessprocess.pe.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
13379.1.0trueprocessprocess.pe.original_file_namekeywordextendedMSPAINT.EXEInternal name of the file, provided at compile-time.
13389.1.0trueprocessprocess.pe.pehashkeywordextended73ff189b63cd6be375a7ff25179a38d347651975A hash of the PE header and data from one or more PE sections.
13399.1.0trueprocessprocess.pe.productkeywordextendedMicrosoft® Windows® Operating SystemInternal product name of the file, provided at compile-time.
13409.1.0trueprocessprocess.pe.sectionsnestedextendedarraySection information of the PE file.
13419.1.0trueprocessprocess.pe.sections.entropylongextendedShannon entropy calculation from the section.
13429.1.0trueprocessprocess.pe.sections.namekeywordextendedPE Section List name.
13439.1.0trueprocessprocess.pe.sections.physical_sizelongextendedPE Section List physical size.
13449.1.0trueprocessprocess.pe.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
13459.1.0trueprocessprocess.pe.sections.virtual_sizelongextendedPE Section List virtual size. This is always the same as `physical_size`.
13469.1.0trueprocessprocess.pidlongcore4242Process id.
13479.1.0trueprocessprocess.previous.argskeywordextendedarray["/usr/bin/ssh", "-l", "user", "10.0.0.16"]Array of process arguments.
13489.1.0trueprocessprocess.previous.args_countlongextended4Length of the process.args array.
13499.1.0trueprocessprocess.previous.executablekeywordextended/usr/bin/sshAbsolute path to the process executable.
13509.1.0trueprocessprocess.real_group.idkeywordextendedUnique identifier for the group on the system/platform.
13519.1.0trueprocessprocess.real_group.namekeywordextendedName of the group.
13529.1.0trueprocessprocess.real_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
13539.1.0trueprocessprocess.real_user.namekeywordcorea.einsteinShort name or login of the user.
13549.1.0trueprocessprocess.saved_group.idkeywordextendedUnique identifier for the group on the system/platform.
13559.1.0trueprocessprocess.saved_group.namekeywordextendedName of the group.
13569.1.0trueprocessprocess.saved_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
13579.1.0trueprocessprocess.saved_user.namekeywordcorea.einsteinShort name or login of the user.
13589.1.0trueprocessprocess.session_leader.argskeywordextendedarray["/usr/bin/ssh", "-l", "user", "10.0.0.16"]Array of process arguments.
13599.1.0trueprocessprocess.session_leader.args_countlongextended4Length of the process.args array.
13609.1.0trueprocessprocess.session_leader.command_linekeywordextended/usr/bin/ssh -l user 10.0.0.16Full command line that started the process.
13619.1.0trueprocessprocess.session_leader.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
13629.1.0trueprocessprocess.session_leader.executablekeywordextended/usr/bin/sshAbsolute path to the process executable.
13639.1.0trueprocessprocess.session_leader.group.idkeywordextendedUnique identifier for the group on the system/platform.
13649.1.0trueprocessprocess.session_leader.group.namekeywordextendedName of the group.
13659.1.0trueprocessprocess.session_leader.interactivebooleanextendedTrueWhether the process is connected to an interactive shell.
13669.1.0trueprocessprocess.session_leader.namekeywordextendedsshProcess name.
13679.1.0trueprocessprocess.session_leader.parent.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
13689.1.0trueprocessprocess.session_leader.parent.pidlongcore4242Process id.
13699.1.0trueprocessprocess.session_leader.parent.session_leader.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
13709.1.0trueprocessprocess.session_leader.parent.session_leader.pidlongcore4242Process id.
13719.1.0trueprocessprocess.session_leader.parent.session_leader.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
13729.1.0trueprocessprocess.session_leader.parent.session_leader.vpidlongcore4242Virtual process id.
13739.1.0trueprocessprocess.session_leader.parent.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
13749.1.0trueprocessprocess.session_leader.parent.vpidlongcore4242Virtual process id.
13759.1.0trueprocessprocess.session_leader.pidlongcore4242Process id.
13769.1.0trueprocessprocess.session_leader.real_group.idkeywordextendedUnique identifier for the group on the system/platform.
13779.1.0trueprocessprocess.session_leader.real_group.namekeywordextendedName of the group.
13789.1.0trueprocessprocess.session_leader.real_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
13799.1.0trueprocessprocess.session_leader.real_user.namekeywordcorea.einsteinShort name or login of the user.
13809.1.0trueprocessprocess.session_leader.same_as_processbooleanextendedTrueThis boolean is used to identify if a leader process is the same as the top level process.
13819.1.0trueprocessprocess.session_leader.saved_group.idkeywordextendedUnique identifier for the group on the system/platform.
13829.1.0trueprocessprocess.session_leader.saved_group.namekeywordextendedName of the group.
13839.1.0trueprocessprocess.session_leader.saved_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
13849.1.0trueprocessprocess.session_leader.saved_user.namekeywordcorea.einsteinShort name or login of the user.
13859.1.0trueprocessprocess.session_leader.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
13869.1.0trueprocessprocess.session_leader.supplemental_groups.idkeywordextendedUnique identifier for the group on the system/platform.
13879.1.0trueprocessprocess.session_leader.supplemental_groups.namekeywordextendedName of the group.
13889.1.0trueprocessprocess.session_leader.ttyobjectextendedInformation about the controlling TTY device.
13899.1.0trueprocessprocess.session_leader.tty.char_device.majorlongextended4The TTY character device's major number.
13909.1.0trueprocessprocess.session_leader.tty.char_device.minorlongextended1The TTY character device's minor number.
13919.1.0trueprocessprocess.session_leader.user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
13929.1.0trueprocessprocess.session_leader.user.namekeywordcorea.einsteinShort name or login of the user.
13939.1.0trueprocessprocess.session_leader.vpidlongcore4242Virtual process id.
13949.1.0trueprocessprocess.session_leader.working_directorykeywordextended/home/aliceThe working directory of the process.
13959.1.0trueprocessprocess.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
13969.1.0trueprocessprocess.supplemental_groups.idkeywordextendedUnique identifier for the group on the system/platform.
13979.1.0trueprocessprocess.supplemental_groups.namekeywordextendedName of the group.
13989.1.0trueprocessprocess.thread.capabilities.effectivekeywordextendedarray["CAP_BPF", "CAP_SYS_ADMIN"]Array of capabilities used for permission checks.
13999.1.0trueprocessprocess.thread.capabilities.permittedkeywordextendedarray["CAP_BPF", "CAP_SYS_ADMIN"]Array of capabilities a thread could assume.
14009.1.0trueprocessprocess.thread.idlongextended4242Thread ID.
14019.1.0trueprocessprocess.thread.namekeywordextendedthread-0Thread name.
14029.1.0trueprocessprocess.titlekeywordextendedProcess title.
14039.1.0trueprocessprocess.ttyobjectextendedInformation about the controlling TTY device.
14049.1.0trueprocessprocess.tty.char_device.majorlongextended4The TTY character device's major number.
14059.1.0trueprocessprocess.tty.char_device.minorlongextended1The TTY character device's minor number.
14069.1.0trueprocessprocess.tty.columnslongextended80The number of character columns per line. e.g terminal width
14079.1.0trueprocessprocess.tty.rowslongextended24The number of character rows in the terminal. e.g terminal height
14089.1.0trueprocessprocess.uptimelongextended1325Seconds the process has been up.
14099.1.0trueprocessprocess.user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
14109.1.0trueprocessprocess.user.namekeywordcorea.einsteinShort name or login of the user.
14119.1.0trueprocessprocess.vpidlongcore4242Virtual process id.
14129.1.0trueprocessprocess.working_directorykeywordextended/home/aliceThe working directory of the process.
14139.1.0trueregistryregistry.data.byteskeywordextendedZQBuAC0AVQBTAAAAZQBuAAAAAAA=Original bytes written with base64 encoding.
14149.1.0trueregistryregistry.data.stringskeywordcorearray["C:\rta\red_ttp\bin\myapp.exe"]List of strings representing what was written to the registry.
14159.1.0trueregistryregistry.data.typekeywordcoreREG_SZStandard registry type for encoding contents
14169.1.0trueregistryregistry.hivekeywordcoreHKLMAbbreviated name for the hive.
14179.1.0trueregistryregistry.keykeywordcoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exeHive-relative path of keys.
14189.1.0trueregistryregistry.pathkeywordcoreHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\DebuggerFull path, including hive, key and value
14199.1.0trueregistryregistry.valuekeywordcoreDebuggerName of the value written.
14209.1.0truerelatedrelated.hashkeywordextendedarrayAll the hashes seen on your event.
14219.1.0truerelatedrelated.hostskeywordextendedarrayAll the host identifiers seen on your event.
14229.1.0truerelatedrelated.ipipextendedarrayAll of the IPs seen on your event.
14239.1.0truerelatedrelated.userkeywordextendedarrayAll the user names or other user identifiers seen on the event.
14249.1.0trueresourceresource.idkeywordcustomexample-idThe unique identifier of the Google Cloud resource
14259.1.0trueresourceresource.namekeywordcustomexample-nameThe human-readable name of the Google Cloud resource
14269.1.0trueresourceresource.typekeywordcustomexample-typeThe type of Google Cloud resource
14279.1.0trueresultresult.evaluationkeywordcustomexample-evaluationThe result of evaluating a security policy or compliance check
14289.1.0truerulerule.authorkeywordextendedarray["Star-Lord"]Rule author
14299.1.0truerulerule.categorykeywordextendedAttempted Information LeakRule category
14309.1.0truerulerule.descriptionkeywordextendedBlock requests to public DNS over HTTPS / TLS protocolsRule description
14319.1.0truerulerule.idkeywordextended101Rule ID
14329.1.0truerulerule.licensekeywordextendedApache 2.0Rule license
14339.1.0truerulerule.namekeywordextendedBLOCK_DNS_over_TLSRule name
14349.1.0truerulerule.referencekeywordextendedhttps://en.wikipedia.org/wiki/DNS_over_TLSRule reference URL
14359.1.0truerulerule.rulesetkeywordextendedStandard_Protocol_FiltersRule ruleset
14369.1.0truerulerule.uuidkeywordextended1100110011Rule UUID
14379.1.0truerulerule.versionkeywordextended1.1Rule version
14389.1.0trueserverserver.addresskeywordextendedServer network address.
14399.1.0trueserverserver.as.numberlongextended15169Unique number allocated to the autonomous system.
14409.1.0trueserverserver.as.organization.namekeywordextendedGoogle LLCOrganization name.
14419.1.0trueserverserver.byteslongcore184Bytes sent from the server to the client.
14429.1.0trueserverserver.domainkeywordcorefoo.example.comThe domain name of the server.
14439.1.0trueserverserver.geo.city_namekeywordcoreMontrealCity name.
14449.1.0trueserverserver.geo.continent_codekeywordcoreNAContinent code.
14459.1.0trueserverserver.geo.continent_namekeywordcoreNorth AmericaName of the continent.
14469.1.0trueserverserver.geo.country_iso_codekeywordcoreCACountry ISO code.
14479.1.0trueserverserver.geo.country_namekeywordcoreCanadaCountry name.
14489.1.0trueserverserver.geo.locationgeo_pointcore{ "lon": -73.614830, "lat": 45.505918 }Longitude and latitude.
14499.1.0trueserverserver.geo.namekeywordextendedboston-dcUser-defined description of a location.
14509.1.0trueserverserver.geo.postal_codekeywordcore94040Postal code.
14519.1.0trueserverserver.geo.region_iso_codekeywordcoreCA-QCRegion ISO code.
14529.1.0trueserverserver.geo.region_namekeywordcoreQuebecRegion name.
14539.1.0trueserverserver.geo.timezonekeywordcoreAmerica/Argentina/Buenos_AiresTime zone.
14549.1.0trueserverserver.ipipcoreIP address of the server.
14559.1.0trueserverserver.mackeywordcore00-00-5E-00-53-23MAC address of the server.
14569.1.0trueserverserver.nat.ipipextendedServer NAT ip
14579.1.0trueserverserver.nat.portlongextendedServer NAT port
14589.1.0trueserverserver.packetslongcore12Packets sent from the server to the client.
14599.1.0trueserverserver.portlongcorePort of the server.
14609.1.0trueserverserver.registered_domainkeywordextendedexample.comThe highest registered server domain, stripped of the subdomain.
14619.1.0trueserverserver.subdomainkeywordextendedeastThe subdomain of the domain.
14629.1.0trueserverserver.top_level_domainkeywordextendedco.ukThe effective top level domain (com, org, net, co.uk).
14639.1.0trueserverserver.user.domainkeywordextendedName of the directory the user is a member of.
14649.1.0trueserverserver.user.emailkeywordextendedUser email address.
14659.1.0trueserverserver.user.full_namekeywordextendedAlbert EinsteinUser's full name, if available.
14669.1.0trueserverserver.user.group.domainkeywordextendedName of the directory the group is a member of.
14679.1.0trueserverserver.user.group.idkeywordextendedUnique identifier for the group on the system/platform.
14689.1.0trueserverserver.user.group.namekeywordextendedName of the group.
14699.1.0trueserverserver.user.hashkeywordextendedUnique user hash to correlate information for a user in anonymized form.
14709.1.0trueserverserver.user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
14719.1.0trueserverserver.user.namekeywordcorea.einsteinShort name or login of the user.
14729.1.0trueserverserver.user.roleskeywordextendedarray["kibana_admin", "reporting_user"]Array of user roles at the time of the event.
14739.1.0trueserviceservice.addresskeywordextended172.26.0.2:5432Address of this service.
14749.1.0trueserviceservice.environmentkeywordextendedproductionEnvironment of the service.
14759.1.0trueserviceservice.ephemeral_idkeywordextended8a4f500fEphemeral identifier of this service.
14769.1.0trueserviceservice.idkeywordcored37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6Unique identifier of the running service.
14779.1.0trueserviceservice.namekeywordcoreelasticsearch-metricsName of the service.
14789.1.0trueserviceservice.node.namekeywordextendedinstance-0000000016Name of the service node.
14799.1.0trueserviceservice.node.rolekeywordextendedbackground_tasksDeprecated role (singular) of the service node.
14809.1.0trueserviceservice.node.roleskeywordextendedarray["ui", "background_tasks"]Roles of the service node.
14819.1.0trueserviceservice.origin.addresskeywordextended172.26.0.2:5432Address of this service.
14829.1.0trueserviceservice.origin.environmentkeywordextendedproductionEnvironment of the service.
14839.1.0trueserviceservice.origin.ephemeral_idkeywordextended8a4f500fEphemeral identifier of this service.
14849.1.0trueserviceservice.origin.idkeywordcored37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6Unique identifier of the running service.
14859.1.0trueserviceservice.origin.namekeywordcoreelasticsearch-metricsName of the service.
14869.1.0trueserviceservice.origin.node.namekeywordextendedinstance-0000000016Name of the service node.
14879.1.0trueserviceservice.origin.node.rolekeywordextendedbackground_tasksDeprecated role (singular) of the service node.
14889.1.0trueserviceservice.origin.node.roleskeywordextendedarray["ui", "background_tasks"]Roles of the service node.
14899.1.0trueserviceservice.origin.statekeywordcoreCurrent state of the service.
14909.1.0trueserviceservice.origin.typekeywordcoreelasticsearchThe type of the service.
14919.1.0trueserviceservice.origin.versionkeywordcore3.2.4Version of the service.
14929.1.0trueserviceservice.statekeywordcoreCurrent state of the service.
14939.1.0trueserviceservice.target.addresskeywordextended172.26.0.2:5432Address of this service.
14949.1.0trueserviceservice.target.environmentkeywordextendedproductionEnvironment of the service.
14959.1.0trueserviceservice.target.ephemeral_idkeywordextended8a4f500fEphemeral identifier of this service.
14969.1.0trueserviceservice.target.idkeywordcored37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6Unique identifier of the running service.
14979.1.0trueserviceservice.target.namekeywordcoreelasticsearch-metricsName of the service.
14989.1.0trueserviceservice.target.node.namekeywordextendedinstance-0000000016Name of the service node.
14999.1.0trueserviceservice.target.node.rolekeywordextendedbackground_tasksDeprecated role (singular) of the service node.
15009.1.0trueserviceservice.target.node.roleskeywordextendedarray["ui", "background_tasks"]Roles of the service node.
15019.1.0trueserviceservice.target.statekeywordcoreCurrent state of the service.
15029.1.0trueserviceservice.target.typekeywordcoreelasticsearchThe type of the service.
15039.1.0trueserviceservice.target.versionkeywordcore3.2.4Version of the service.
15049.1.0trueserviceservice.typekeywordcoreelasticsearchThe type of the service.
15059.1.0trueserviceservice.versionkeywordcore3.2.4Version of the service.
15069.1.0truesourcesource.addresskeywordextendedSource network address.
15079.1.0truesourcesource.as.numberlongextended15169Unique number allocated to the autonomous system.
15089.1.0truesourcesource.as.organization.namekeywordextendedGoogle LLCOrganization name.
15099.1.0truesourcesource.byteslongcore184Bytes sent from the source to the destination.
15109.1.0truesourcesource.domainkeywordcorefoo.example.comThe domain name of the source.
15119.1.0truesourcesource.geo.city_namekeywordcoreMontrealCity name.
15129.1.0truesourcesource.geo.continent_codekeywordcoreNAContinent code.
15139.1.0truesourcesource.geo.continent_namekeywordcoreNorth AmericaName of the continent.
15149.1.0truesourcesource.geo.country_iso_codekeywordcoreCACountry ISO code.
15159.1.0truesourcesource.geo.country_namekeywordcoreCanadaCountry name.
15169.1.0truesourcesource.geo.locationgeo_pointcore{ "lon": -73.614830, "lat": 45.505918 }Longitude and latitude.
15179.1.0truesourcesource.geo.namekeywordextendedboston-dcUser-defined description of a location.
15189.1.0truesourcesource.geo.postal_codekeywordcore94040Postal code.
15199.1.0truesourcesource.geo.region_iso_codekeywordcoreCA-QCRegion ISO code.
15209.1.0truesourcesource.geo.region_namekeywordcoreQuebecRegion name.
15219.1.0truesourcesource.geo.timezonekeywordcoreAmerica/Argentina/Buenos_AiresTime zone.
15229.1.0truesourcesource.ipipcoreIP address of the source.
15239.1.0truesourcesource.mackeywordcore00-00-5E-00-53-23MAC address of the source.
15249.1.0truesourcesource.nat.ipipextendedSource NAT ip
15259.1.0truesourcesource.nat.portlongextendedSource NAT port
15269.1.0truesourcesource.packetslongcore12Packets sent from the source to the destination.
15279.1.0truesourcesource.portlongcorePort of the source.
15289.1.0truesourcesource.registered_domainkeywordextendedexample.comThe highest registered source domain, stripped of the subdomain.
15299.1.0truesourcesource.subdomainkeywordextendedeastThe subdomain of the domain.
15309.1.0truesourcesource.top_level_domainkeywordextendedco.ukThe effective top level domain (com, org, net, co.uk).
15319.1.0truesourcesource.user.domainkeywordextendedName of the directory the user is a member of.
15329.1.0truesourcesource.user.emailkeywordextendedUser email address.
15339.1.0truesourcesource.user.full_namekeywordextendedAlbert EinsteinUser's full name, if available.
15349.1.0truesourcesource.user.group.domainkeywordextendedName of the directory the group is a member of.
15359.1.0truesourcesource.user.group.idkeywordextendedUnique identifier for the group on the system/platform.
15369.1.0truesourcesource.user.group.namekeywordextendedName of the group.
15379.1.0truesourcesource.user.hashkeywordextendedUnique user hash to correlate information for a user in anonymized form.
15389.1.0truesourcesource.user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
15399.1.0truesourcesource.user.namekeywordcorea.einsteinShort name or login of the user.
15409.1.0truesourcesource.user.roleskeywordextendedarray["kibana_admin", "reporting_user"]Array of user roles at the time of the event.
15419.1.0truespanspan.idkeywordextended3ff9a8981b7ccd5aUnique identifier of the span within the scope of its trace.
15429.1.0truethreatthreat.enrichmentsnestedextendedarrayList of objects containing indicators enriching the event.
15439.1.0truethreatthreat.enrichments.indicatorobjectextendedObject containing indicators enriching the event.
15449.1.0truethreatthreat.enrichments.indicator.as.numberlongextended15169Unique number allocated to the autonomous system.
15459.1.0truethreatthreat.enrichments.indicator.as.organization.namekeywordextendedGoogle LLCOrganization name.
15469.1.0truethreatthreat.enrichments.indicator.confidencekeywordextendedMediumIndicator confidence rating
15479.1.0truethreatthreat.enrichments.indicator.descriptionkeywordextendedIP x.x.x.x was observed delivering the Angler EK.Indicator description
15489.1.0truethreatthreat.enrichments.indicator.email.addresskeywordextendedphish@example.comIndicator email address
15499.1.0truethreatthreat.enrichments.indicator.file.accesseddateextendedLast time the file was accessed.
15509.1.0truethreatthreat.enrichments.indicator.file.attributeskeywordextendedarray["readonly", "system"]Array of file attributes.
15519.1.0truethreatthreat.enrichments.indicator.file.code_signature.digest_algorithmkeywordextendedsha256Hashing algorithm used to sign the process.
15529.1.0truethreatthreat.enrichments.indicator.file.code_signature.existsbooleancoretrueBoolean to capture if a signature is present.
15539.1.0truethreatthreat.enrichments.indicator.file.code_signature.flagskeywordextended570522385Code signing flags of the process
15549.1.0truethreatthreat.enrichments.indicator.file.code_signature.signing_idkeywordextendedcom.apple.xpc.proxyThe identifier used to sign the process.
15559.1.0truethreatthreat.enrichments.indicator.file.code_signature.statuskeywordextendedERROR_UNTRUSTED_ROOTAdditional information about the certificate status.
15569.1.0truethreatthreat.enrichments.indicator.file.code_signature.subject_namekeywordcoreMicrosoft CorporationSubject name of the code signer
15579.1.0truethreatthreat.enrichments.indicator.file.code_signature.team_idkeywordextendedEQHXZ8M8AVThe team identifier used to sign the process.
15589.1.0truethreatthreat.enrichments.indicator.file.code_signature.thumbprint_sha256keywordextendedc0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476bSHA256 hash of the certificate.
15599.1.0truethreatthreat.enrichments.indicator.file.code_signature.timestampdateextended2021-01-01T12:10:30ZWhen the signature was generated and signed.
15609.1.0truethreatthreat.enrichments.indicator.file.code_signature.trustedbooleanextendedtrueStores the trust status of the certificate chain.
15619.1.0truethreatthreat.enrichments.indicator.file.code_signature.validbooleanextendedtrueBoolean to capture if the digital signature is verified against the binary content.
15629.1.0truethreatthreat.enrichments.indicator.file.createddateextendedFile creation time.
15639.1.0truethreatthreat.enrichments.indicator.file.ctimedateextendedLast time the file attributes or metadata changed.
15649.1.0truethreatthreat.enrichments.indicator.file.devicekeywordextendedsdaDevice that is the source of the file.
15659.1.0truethreatthreat.enrichments.indicator.file.directorykeywordextended/home/aliceDirectory where the file is located.
15669.1.0truethreatthreat.enrichments.indicator.file.drive_letterkeywordextendedCDrive letter where the file is located.
15679.1.0truethreatthreat.enrichments.indicator.file.elf.architecturekeywordextendedx86-64Machine architecture of the ELF file.
15689.1.0truethreatthreat.enrichments.indicator.file.elf.byte_orderkeywordextendedLittle EndianByte sequence of ELF file.
15699.1.0truethreatthreat.enrichments.indicator.file.elf.cpu_typekeywordextendedIntelCPU type of the ELF file.
15709.1.0truethreatthreat.enrichments.indicator.file.elf.creation_datedateextendedBuild or compile date.
15719.1.0truethreatthreat.enrichments.indicator.file.elf.exportsflat_objectextendedarrayList of exported element names and types.
15729.1.0truethreatthreat.enrichments.indicator.file.elf.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in an ELF file.
15739.1.0truethreatthreat.enrichments.indicator.file.elf.go_importsflat_objectextendedList of imported Go language element names and types.
15749.1.0truethreatthreat.enrichments.indicator.file.elf.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
15759.1.0truethreatthreat.enrichments.indicator.file.elf.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
15769.1.0truethreatthreat.enrichments.indicator.file.elf.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
15779.1.0truethreatthreat.enrichments.indicator.file.elf.header.abi_versionkeywordextendedVersion of the ELF Application Binary Interface (ABI).
15789.1.0truethreatthreat.enrichments.indicator.file.elf.header.classkeywordextendedHeader class of the ELF file.
15799.1.0truethreatthreat.enrichments.indicator.file.elf.header.datakeywordextendedData table of the ELF header.
15809.1.0truethreatthreat.enrichments.indicator.file.elf.header.entrypointlongextendedHeader entrypoint of the ELF file.
15819.1.0truethreatthreat.enrichments.indicator.file.elf.header.object_versionkeywordextended"0x1" for original ELF files.
15829.1.0truethreatthreat.enrichments.indicator.file.elf.header.os_abikeywordextendedApplication Binary Interface (ABI) of the Linux OS.
15839.1.0truethreatthreat.enrichments.indicator.file.elf.header.typekeywordextendedHeader type of the ELF file.
15849.1.0truethreatthreat.enrichments.indicator.file.elf.header.versionkeywordextendedVersion of the ELF header.
15859.1.0truethreatthreat.enrichments.indicator.file.elf.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in an ELF file.
15869.1.0truethreatthreat.enrichments.indicator.file.elf.importsflat_objectextendedarrayList of imported element names and types.
15879.1.0truethreatthreat.enrichments.indicator.file.elf.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
15889.1.0truethreatthreat.enrichments.indicator.file.elf.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
15899.1.0truethreatthreat.enrichments.indicator.file.elf.sectionsnestedextendedarraySection information of the ELF file.
15909.1.0truethreatthreat.enrichments.indicator.file.elf.sections.chi2longextendedChi-square probability distribution of the section.
15919.1.0truethreatthreat.enrichments.indicator.file.elf.sections.entropylongextendedShannon entropy calculation from the section.
15929.1.0truethreatthreat.enrichments.indicator.file.elf.sections.flagskeywordextendedELF Section List flags.
15939.1.0truethreatthreat.enrichments.indicator.file.elf.sections.namekeywordextendedELF Section List name.
15949.1.0truethreatthreat.enrichments.indicator.file.elf.sections.physical_offsetkeywordextendedELF Section List offset.
15959.1.0truethreatthreat.enrichments.indicator.file.elf.sections.physical_sizelongextendedELF Section List physical size.
15969.1.0truethreatthreat.enrichments.indicator.file.elf.sections.typekeywordextendedELF Section List type.
15979.1.0truethreatthreat.enrichments.indicator.file.elf.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
15989.1.0truethreatthreat.enrichments.indicator.file.elf.sections.virtual_addresslongextendedELF Section List virtual address.
15999.1.0truethreatthreat.enrichments.indicator.file.elf.sections.virtual_sizelongextendedELF Section List virtual size.
16009.1.0truethreatthreat.enrichments.indicator.file.elf.segmentsnestedextendedarrayELF object segment list.
16019.1.0truethreatthreat.enrichments.indicator.file.elf.segments.sectionskeywordextendedELF object segment sections.
16029.1.0truethreatthreat.enrichments.indicator.file.elf.segments.typekeywordextendedELF object segment type.
16039.1.0truethreatthreat.enrichments.indicator.file.elf.shared_librarieskeywordextendedarrayList of shared libraries used by this ELF object.
16049.1.0truethreatthreat.enrichments.indicator.file.elf.telfhashkeywordextendedtelfhash hash for ELF file.
16059.1.0truethreatthreat.enrichments.indicator.file.extensionkeywordextendedpngFile extension, excluding the leading dot.
16069.1.0truethreatthreat.enrichments.indicator.file.fork_namekeywordextendedZone.IdentiferA fork is additional data associated with a filesystem object.
16079.1.0truethreatthreat.enrichments.indicator.file.gidkeywordextended1001Primary group ID (GID) of the file.
16089.1.0truethreatthreat.enrichments.indicator.file.groupkeywordextendedalicePrimary group name of the file.
16099.1.0truethreatthreat.enrichments.indicator.file.hash.cdhashkeywordextended3783b4052fd474dbe30676b45c329e7a6d44acd9The Code Directory (CD) hash of an executable.
16109.1.0truethreatthreat.enrichments.indicator.file.hash.md5keywordextendedMD5 hash.
16119.1.0truethreatthreat.enrichments.indicator.file.hash.sha1keywordextendedSHA1 hash.
16129.1.0truethreatthreat.enrichments.indicator.file.hash.sha256keywordextendedSHA256 hash.
16139.1.0truethreatthreat.enrichments.indicator.file.hash.sha384keywordextendedSHA384 hash.
16149.1.0truethreatthreat.enrichments.indicator.file.hash.sha512keywordextendedSHA512 hash.
16159.1.0truethreatthreat.enrichments.indicator.file.hash.ssdeepkeywordextendedSSDEEP hash.
16169.1.0truethreatthreat.enrichments.indicator.file.hash.tlshkeywordextendedTLSH hash.
16179.1.0truethreatthreat.enrichments.indicator.file.inodekeywordextended256383Inode representing the file in the filesystem.
16189.1.0truethreatthreat.enrichments.indicator.file.mime_typekeywordextendedMedia type of file, document, or arrangement of bytes.
16199.1.0truethreatthreat.enrichments.indicator.file.modekeywordextended0640Mode of the file in octal representation.
16209.1.0truethreatthreat.enrichments.indicator.file.mtimedateextendedLast time the file content was modified.
16219.1.0truethreatthreat.enrichments.indicator.file.namekeywordextendedexample.pngName of the file including the extension, without the directory.
16229.1.0truethreatthreat.enrichments.indicator.file.origin_referrer_urlkeywordextendedhttp://example.com/article1.htmlThe URL of the webpage that linked to the file.
16239.1.0truethreatthreat.enrichments.indicator.file.origin_urlkeywordextendedhttp://example.com/imgs/article1_img1.jpgThe URL where the file is hosted.
16249.1.0truethreatthreat.enrichments.indicator.file.ownerkeywordextendedaliceFile owner's username.
16259.1.0truethreatthreat.enrichments.indicator.file.pathkeywordextended/home/alice/example.pngFull path to the file, including the file name.
16269.1.0truethreatthreat.enrichments.indicator.file.pe.architecturekeywordextendedx64CPU architecture target for the file.
16279.1.0truethreatthreat.enrichments.indicator.file.pe.companykeywordextendedMicrosoft CorporationInternal company name of the file, provided at compile-time.
16289.1.0truethreatthreat.enrichments.indicator.file.pe.descriptionkeywordextendedPaintInternal description of the file, provided at compile-time.
16299.1.0truethreatthreat.enrichments.indicator.file.pe.file_versionkeywordextended6.3.9600.17415Process name.
16309.1.0truethreatthreat.enrichments.indicator.file.pe.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in a PE file.
16319.1.0truethreatthreat.enrichments.indicator.file.pe.go_importsflat_objectextendedList of imported Go language element names and types.
16329.1.0truethreatthreat.enrichments.indicator.file.pe.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
16339.1.0truethreatthreat.enrichments.indicator.file.pe.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
16349.1.0truethreatthreat.enrichments.indicator.file.pe.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
16359.1.0truethreatthreat.enrichments.indicator.file.pe.imphashkeywordextended0c6803c4e922103c4dca5963aad36ddfA hash of the imports in a PE file.
16369.1.0truethreatthreat.enrichments.indicator.file.pe.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in a PE file.
16379.1.0truethreatthreat.enrichments.indicator.file.pe.importsflat_objectextendedarrayList of imported element names and types.
16389.1.0truethreatthreat.enrichments.indicator.file.pe.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
16399.1.0truethreatthreat.enrichments.indicator.file.pe.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
16409.1.0truethreatthreat.enrichments.indicator.file.pe.original_file_namekeywordextendedMSPAINT.EXEInternal name of the file, provided at compile-time.
16419.1.0truethreatthreat.enrichments.indicator.file.pe.pehashkeywordextended73ff189b63cd6be375a7ff25179a38d347651975A hash of the PE header and data from one or more PE sections.
16429.1.0truethreatthreat.enrichments.indicator.file.pe.productkeywordextendedMicrosoft® Windows® Operating SystemInternal product name of the file, provided at compile-time.
16439.1.0truethreatthreat.enrichments.indicator.file.pe.sectionsnestedextendedarraySection information of the PE file.
16449.1.0truethreatthreat.enrichments.indicator.file.pe.sections.entropylongextendedShannon entropy calculation from the section.
16459.1.0truethreatthreat.enrichments.indicator.file.pe.sections.namekeywordextendedPE Section List name.
16469.1.0truethreatthreat.enrichments.indicator.file.pe.sections.physical_sizelongextendedPE Section List physical size.
16479.1.0truethreatthreat.enrichments.indicator.file.pe.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
16489.1.0truethreatthreat.enrichments.indicator.file.pe.sections.virtual_sizelongextendedPE Section List virtual size. This is always the same as `physical_size`.
16499.1.0truethreatthreat.enrichments.indicator.file.sizelongextended16384File size in bytes.
16509.1.0truethreatthreat.enrichments.indicator.file.target_pathkeywordextendedTarget path for symlinks.
16519.1.0truethreatthreat.enrichments.indicator.file.typekeywordextendedfileFile type (file, dir, or symlink).
16529.1.0truethreatthreat.enrichments.indicator.file.uidkeywordextended1001The user ID (UID) or security identifier (SID) of the file owner.
16539.1.0truethreatthreat.enrichments.indicator.file.x509.alternative_nameskeywordextendedarray*.elastic.coList of subject alternative names (SAN).
16549.1.0truethreatthreat.enrichments.indicator.file.x509.issuer.common_namekeywordextendedarrayExample SHA2 High Assurance Server CAList of common name (CN) of issuing certificate authority.
16559.1.0truethreatthreat.enrichments.indicator.file.x509.issuer.countrykeywordextendedarrayUSList of country \(C) codes
16569.1.0truethreatthreat.enrichments.indicator.file.x509.issuer.distinguished_namekeywordextendedC=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CADistinguished name (DN) of issuing certificate authority.
16579.1.0truethreatthreat.enrichments.indicator.file.x509.issuer.localitykeywordextendedarrayMountain ViewList of locality names (L)
16589.1.0truethreatthreat.enrichments.indicator.file.x509.issuer.organizationkeywordextendedarrayExample IncList of organizations (O) of issuing certificate authority.
16599.1.0truethreatthreat.enrichments.indicator.file.x509.issuer.organizational_unitkeywordextendedarraywww.example.comList of organizational units (OU) of issuing certificate authority.
16609.1.0truethreatthreat.enrichments.indicator.file.x509.issuer.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
16619.1.0truethreatthreat.enrichments.indicator.file.x509.not_afterdateextended2020-07-16T03:15:39ZTime at which the certificate is no longer considered valid.
16629.1.0truethreatthreat.enrichments.indicator.file.x509.not_beforedateextended2019-08-16T01:40:25ZTime at which the certificate is first considered valid.
16639.1.0truethreatthreat.enrichments.indicator.file.x509.public_key_algorithmkeywordextendedRSAAlgorithm used to generate the public key.
16649.1.0truethreatthreat.enrichments.indicator.file.x509.public_key_curvekeywordextendednistp521The curve used by the elliptic curve public key algorithm. This is algorithm specific.
16659.1.0falsethreatthreat.enrichments.indicator.file.x509.public_key_exponentlongextended65537Exponent used to derive the public key. This is algorithm specific.
16669.1.0truethreatthreat.enrichments.indicator.file.x509.public_key_sizelongextended2048The size of the public key space in bits.
16679.1.0truethreatthreat.enrichments.indicator.file.x509.serial_numberkeywordextended55FBB9C7DEBF09809D12CCAAUnique serial number issued by the certificate authority.
16689.1.0truethreatthreat.enrichments.indicator.file.x509.signature_algorithmkeywordextendedSHA256-RSAIdentifier for certificate signature algorithm.
16699.1.0truethreatthreat.enrichments.indicator.file.x509.subject.common_namekeywordextendedarrayshared.global.example.netList of common names (CN) of subject.
16709.1.0truethreatthreat.enrichments.indicator.file.x509.subject.countrykeywordextendedarrayUSList of country \(C) code
16719.1.0truethreatthreat.enrichments.indicator.file.x509.subject.distinguished_namekeywordextendedC=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.netDistinguished name (DN) of the certificate subject entity.
16729.1.0truethreatthreat.enrichments.indicator.file.x509.subject.localitykeywordextendedarraySan FranciscoList of locality names (L)
16739.1.0truethreatthreat.enrichments.indicator.file.x509.subject.organizationkeywordextendedarrayExample, Inc.List of organizations (O) of subject.
16749.1.0truethreatthreat.enrichments.indicator.file.x509.subject.organizational_unitkeywordextendedarrayList of organizational units (OU) of subject.
16759.1.0truethreatthreat.enrichments.indicator.file.x509.subject.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
16769.1.0truethreatthreat.enrichments.indicator.file.x509.version_numberkeywordextended3Version of x509 format.
16779.1.0truethreatthreat.enrichments.indicator.first_seendateextended2020-11-05T17:25:47.000ZDate/time indicator was first reported.
16789.1.0truethreatthreat.enrichments.indicator.geo.city_namekeywordcoreMontrealCity name.
16799.1.0truethreatthreat.enrichments.indicator.geo.continent_codekeywordcoreNAContinent code.
16809.1.0truethreatthreat.enrichments.indicator.geo.continent_namekeywordcoreNorth AmericaName of the continent.
16819.1.0truethreatthreat.enrichments.indicator.geo.country_iso_codekeywordcoreCACountry ISO code.
16829.1.0truethreatthreat.enrichments.indicator.geo.country_namekeywordcoreCanadaCountry name.
16839.1.0truethreatthreat.enrichments.indicator.geo.locationgeo_pointcore{ "lon": -73.614830, "lat": 45.505918 }Longitude and latitude.
16849.1.0truethreatthreat.enrichments.indicator.geo.namekeywordextendedboston-dcUser-defined description of a location.
16859.1.0truethreatthreat.enrichments.indicator.geo.postal_codekeywordcore94040Postal code.
16869.1.0truethreatthreat.enrichments.indicator.geo.region_iso_codekeywordcoreCA-QCRegion ISO code.
16879.1.0truethreatthreat.enrichments.indicator.geo.region_namekeywordcoreQuebecRegion name.
16889.1.0truethreatthreat.enrichments.indicator.geo.timezonekeywordcoreAmerica/Argentina/Buenos_AiresTime zone.
16899.1.0truethreatthreat.enrichments.indicator.ipipextended1.2.3.4Indicator IP address
16909.1.0truethreatthreat.enrichments.indicator.last_seendateextended2020-11-05T17:25:47.000ZDate/time indicator was last reported.
16919.1.0truethreatthreat.enrichments.indicator.marking.tlpkeywordextendedCLEARIndicator TLP marking
16929.1.0truethreatthreat.enrichments.indicator.marking.tlp_versionkeywordextended2.0Indicator TLP version
16939.1.0truethreatthreat.enrichments.indicator.modified_atdateextended2020-11-05T17:25:47.000ZDate/time indicator was last updated.
16949.1.0truethreatthreat.enrichments.indicator.namekeywordextended5.2.75.227Indicator display name
16959.1.0truethreatthreat.enrichments.indicator.portlongextended443Indicator port
16969.1.0truethreatthreat.enrichments.indicator.providerkeywordextendedlrz_urlhausIndicator provider
16979.1.0truethreatthreat.enrichments.indicator.referencekeywordextendedhttps://system.example.com/indicator/0001234Indicator reference URL
16989.1.0truethreatthreat.enrichments.indicator.registry.data.byteskeywordextendedZQBuAC0AVQBTAAAAZQBuAAAAAAA=Original bytes written with base64 encoding.
16999.1.0truethreatthreat.enrichments.indicator.registry.data.stringskeywordcorearray["C:\rta\red_ttp\bin\myapp.exe"]List of strings representing what was written to the registry.
17009.1.0truethreatthreat.enrichments.indicator.registry.data.typekeywordcoreREG_SZStandard registry type for encoding contents
17019.1.0truethreatthreat.enrichments.indicator.registry.hivekeywordcoreHKLMAbbreviated name for the hive.
17029.1.0truethreatthreat.enrichments.indicator.registry.keykeywordcoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exeHive-relative path of keys.
17039.1.0truethreatthreat.enrichments.indicator.registry.pathkeywordcoreHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\DebuggerFull path, including hive, key and value
17049.1.0truethreatthreat.enrichments.indicator.registry.valuekeywordcoreDebuggerName of the value written.
17059.1.0truethreatthreat.enrichments.indicator.scanner_statslongextended4Scanner statistics
17069.1.0truethreatthreat.enrichments.indicator.sightingslongextended20Number of times indicator observed
17079.1.0truethreatthreat.enrichments.indicator.typekeywordextendedipv4-addrType of indicator
17089.1.0truethreatthreat.enrichments.indicator.url.domainkeywordextendedwww.elastic.coDomain of the url.
17099.1.0truethreatthreat.enrichments.indicator.url.extensionkeywordextendedpngFile extension from the request url, excluding the leading dot.
17109.1.0truethreatthreat.enrichments.indicator.url.fragmentkeywordextendedPortion of the url after the `#`.
17119.1.0truethreatthreat.enrichments.indicator.url.fullkeywordextendedhttps://www.elastic.co:443/search?q=elasticsearch#topFull unparsed URL.
17129.1.0truethreatthreat.enrichments.indicator.url.originalkeywordextendedhttps://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearchUnmodified original url as seen in the event source.
17139.1.0truethreatthreat.enrichments.indicator.url.passwordkeywordextendedPassword of the request.
17149.1.0truethreatthreat.enrichments.indicator.url.pathkeywordextendedPath of the request, such as "/search".
17159.1.0truethreatthreat.enrichments.indicator.url.portlongextended443Port of the request, such as 443.
17169.1.0truethreatthreat.enrichments.indicator.url.querykeywordextendedQuery string of the request.
17179.1.0truethreatthreat.enrichments.indicator.url.registered_domainkeywordextendedexample.comThe highest registered url domain, stripped of the subdomain.
17189.1.0truethreatthreat.enrichments.indicator.url.schemekeywordextendedhttpsScheme of the url.
17199.1.0truethreatthreat.enrichments.indicator.url.subdomainkeywordextendedeastThe subdomain of the domain.
17209.1.0truethreatthreat.enrichments.indicator.url.top_level_domainkeywordextendedco.ukThe effective top level domain (com, org, net, co.uk).
17219.1.0truethreatthreat.enrichments.indicator.url.usernamekeywordextendedUsername of the request.
17229.1.0truethreatthreat.enrichments.indicator.x509.alternative_nameskeywordextendedarray*.elastic.coList of subject alternative names (SAN).
17239.1.0truethreatthreat.enrichments.indicator.x509.issuer.common_namekeywordextendedarrayExample SHA2 High Assurance Server CAList of common name (CN) of issuing certificate authority.
17249.1.0truethreatthreat.enrichments.indicator.x509.issuer.countrykeywordextendedarrayUSList of country \(C) codes
17259.1.0truethreatthreat.enrichments.indicator.x509.issuer.distinguished_namekeywordextendedC=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CADistinguished name (DN) of issuing certificate authority.
17269.1.0truethreatthreat.enrichments.indicator.x509.issuer.localitykeywordextendedarrayMountain ViewList of locality names (L)
17279.1.0truethreatthreat.enrichments.indicator.x509.issuer.organizationkeywordextendedarrayExample IncList of organizations (O) of issuing certificate authority.
17289.1.0truethreatthreat.enrichments.indicator.x509.issuer.organizational_unitkeywordextendedarraywww.example.comList of organizational units (OU) of issuing certificate authority.
17299.1.0truethreatthreat.enrichments.indicator.x509.issuer.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
17309.1.0truethreatthreat.enrichments.indicator.x509.not_afterdateextended2020-07-16T03:15:39ZTime at which the certificate is no longer considered valid.
17319.1.0truethreatthreat.enrichments.indicator.x509.not_beforedateextended2019-08-16T01:40:25ZTime at which the certificate is first considered valid.
17329.1.0truethreatthreat.enrichments.indicator.x509.public_key_algorithmkeywordextendedRSAAlgorithm used to generate the public key.
17339.1.0truethreatthreat.enrichments.indicator.x509.public_key_curvekeywordextendednistp521The curve used by the elliptic curve public key algorithm. This is algorithm specific.
17349.1.0falsethreatthreat.enrichments.indicator.x509.public_key_exponentlongextended65537Exponent used to derive the public key. This is algorithm specific.
17359.1.0truethreatthreat.enrichments.indicator.x509.public_key_sizelongextended2048The size of the public key space in bits.
17369.1.0truethreatthreat.enrichments.indicator.x509.serial_numberkeywordextended55FBB9C7DEBF09809D12CCAAUnique serial number issued by the certificate authority.
17379.1.0truethreatthreat.enrichments.indicator.x509.signature_algorithmkeywordextendedSHA256-RSAIdentifier for certificate signature algorithm.
17389.1.0truethreatthreat.enrichments.indicator.x509.subject.common_namekeywordextendedarrayshared.global.example.netList of common names (CN) of subject.
17399.1.0truethreatthreat.enrichments.indicator.x509.subject.countrykeywordextendedarrayUSList of country \(C) code
17409.1.0truethreatthreat.enrichments.indicator.x509.subject.distinguished_namekeywordextendedC=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.netDistinguished name (DN) of the certificate subject entity.
17419.1.0truethreatthreat.enrichments.indicator.x509.subject.localitykeywordextendedarraySan FranciscoList of locality names (L)
17429.1.0truethreatthreat.enrichments.indicator.x509.subject.organizationkeywordextendedarrayExample, Inc.List of organizations (O) of subject.
17439.1.0truethreatthreat.enrichments.indicator.x509.subject.organizational_unitkeywordextendedarrayList of organizational units (OU) of subject.
17449.1.0truethreatthreat.enrichments.indicator.x509.subject.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
17459.1.0truethreatthreat.enrichments.indicator.x509.version_numberkeywordextended3Version of x509 format.
17469.1.0truethreatthreat.enrichments.matched.atomickeywordextendedbad-domain.comMatched indicator value
17479.1.0truethreatthreat.enrichments.matched.fieldkeywordextendedfile.hash.sha256Matched indicator field
17489.1.0truethreatthreat.enrichments.matched.idkeywordextendedff93aee5-86a1-4a61-b0e6-0cdc313d01b5Matched indicator identifier
17499.1.0truethreatthreat.enrichments.matched.indexkeywordextendedfilebeat-8.0.0-2021.05.23-000011Matched indicator index
17509.1.0truethreatthreat.enrichments.matched.occurreddateextended2021-10-05T17:00:58.326ZDate of match
17519.1.0truethreatthreat.enrichments.matched.typekeywordextendedindicator_match_ruleType of indicator match
17529.1.0truethreatthreat.feed.dashboard_idkeywordextended5ba16340-72e6-11eb-a3e3-b3cc7c78a70fFeed dashboard ID.
17539.1.0truethreatthreat.feed.descriptionkeywordextendedThreat feed from the AlienVault Open Threat eXchange network.Description of the threat feed.
17549.1.0truethreatthreat.feed.namekeywordextendedAlienVault OTXName of the threat feed.
17559.1.0truethreatthreat.feed.referencekeywordextendedhttps://otx.alienvault.comReference for the threat feed.
17569.1.0truethreatthreat.frameworkkeywordextendedMITRE ATT&CKThreat classification framework.
17579.1.0truethreatthreat.group.aliaskeywordextendedarray[ "Magecart Group 6" ]Alias of the group.
17589.1.0truethreatthreat.group.idkeywordextendedG0037ID of the group.
17599.1.0truethreatthreat.group.namekeywordextendedFIN6Name of the group.
17609.1.0truethreatthreat.group.referencekeywordextendedhttps://attack.mitre.org/groups/G0037/Reference URL of the group.
17619.1.0truethreatthreat.indicator.as.numberlongextended15169Unique number allocated to the autonomous system.
17629.1.0truethreatthreat.indicator.as.organization.namekeywordextendedGoogle LLCOrganization name.
17639.1.0truethreatthreat.indicator.confidencekeywordextendedMediumIndicator confidence rating
17649.1.0truethreatthreat.indicator.descriptionkeywordextendedIP x.x.x.x was observed delivering the Angler EK.Indicator description
17659.1.0truethreatthreat.indicator.email.addresskeywordextendedphish@example.comIndicator email address
17669.1.0truethreatthreat.indicator.file.accesseddateextendedLast time the file was accessed.
17679.1.0truethreatthreat.indicator.file.attributeskeywordextendedarray["readonly", "system"]Array of file attributes.
17689.1.0truethreatthreat.indicator.file.code_signature.digest_algorithmkeywordextendedsha256Hashing algorithm used to sign the process.
17699.1.0truethreatthreat.indicator.file.code_signature.existsbooleancoretrueBoolean to capture if a signature is present.
17709.1.0truethreatthreat.indicator.file.code_signature.flagskeywordextended570522385Code signing flags of the process
17719.1.0truethreatthreat.indicator.file.code_signature.signing_idkeywordextendedcom.apple.xpc.proxyThe identifier used to sign the process.
17729.1.0truethreatthreat.indicator.file.code_signature.statuskeywordextendedERROR_UNTRUSTED_ROOTAdditional information about the certificate status.
17739.1.0truethreatthreat.indicator.file.code_signature.subject_namekeywordcoreMicrosoft CorporationSubject name of the code signer
17749.1.0truethreatthreat.indicator.file.code_signature.team_idkeywordextendedEQHXZ8M8AVThe team identifier used to sign the process.
17759.1.0truethreatthreat.indicator.file.code_signature.thumbprint_sha256keywordextendedc0f23a8eb1cba0ccaa88483b5a234c96e4bdfec719bf458024e68c2a8183476bSHA256 hash of the certificate.
17769.1.0truethreatthreat.indicator.file.code_signature.timestampdateextended2021-01-01T12:10:30ZWhen the signature was generated and signed.
17779.1.0truethreatthreat.indicator.file.code_signature.trustedbooleanextendedtrueStores the trust status of the certificate chain.
17789.1.0truethreatthreat.indicator.file.code_signature.validbooleanextendedtrueBoolean to capture if the digital signature is verified against the binary content.
17799.1.0truethreatthreat.indicator.file.createddateextendedFile creation time.
17809.1.0truethreatthreat.indicator.file.ctimedateextendedLast time the file attributes or metadata changed.
17819.1.0truethreatthreat.indicator.file.devicekeywordextendedsdaDevice that is the source of the file.
17829.1.0truethreatthreat.indicator.file.directorykeywordextended/home/aliceDirectory where the file is located.
17839.1.0truethreatthreat.indicator.file.drive_letterkeywordextendedCDrive letter where the file is located.
17849.1.0truethreatthreat.indicator.file.elf.architecturekeywordextendedx86-64Machine architecture of the ELF file.
17859.1.0truethreatthreat.indicator.file.elf.byte_orderkeywordextendedLittle EndianByte sequence of ELF file.
17869.1.0truethreatthreat.indicator.file.elf.cpu_typekeywordextendedIntelCPU type of the ELF file.
17879.1.0truethreatthreat.indicator.file.elf.creation_datedateextendedBuild or compile date.
17889.1.0truethreatthreat.indicator.file.elf.exportsflat_objectextendedarrayList of exported element names and types.
17899.1.0truethreatthreat.indicator.file.elf.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in an ELF file.
17909.1.0truethreatthreat.indicator.file.elf.go_importsflat_objectextendedList of imported Go language element names and types.
17919.1.0truethreatthreat.indicator.file.elf.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
17929.1.0truethreatthreat.indicator.file.elf.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
17939.1.0truethreatthreat.indicator.file.elf.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
17949.1.0truethreatthreat.indicator.file.elf.header.abi_versionkeywordextendedVersion of the ELF Application Binary Interface (ABI).
17959.1.0truethreatthreat.indicator.file.elf.header.classkeywordextendedHeader class of the ELF file.
17969.1.0truethreatthreat.indicator.file.elf.header.datakeywordextendedData table of the ELF header.
17979.1.0truethreatthreat.indicator.file.elf.header.entrypointlongextendedHeader entrypoint of the ELF file.
17989.1.0truethreatthreat.indicator.file.elf.header.object_versionkeywordextended"0x1" for original ELF files.
17999.1.0truethreatthreat.indicator.file.elf.header.os_abikeywordextendedApplication Binary Interface (ABI) of the Linux OS.
18009.1.0truethreatthreat.indicator.file.elf.header.typekeywordextendedHeader type of the ELF file.
18019.1.0truethreatthreat.indicator.file.elf.header.versionkeywordextendedVersion of the ELF header.
18029.1.0truethreatthreat.indicator.file.elf.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in an ELF file.
18039.1.0truethreatthreat.indicator.file.elf.importsflat_objectextendedarrayList of imported element names and types.
18049.1.0truethreatthreat.indicator.file.elf.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
18059.1.0truethreatthreat.indicator.file.elf.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
18069.1.0truethreatthreat.indicator.file.elf.sectionsnestedextendedarraySection information of the ELF file.
18079.1.0truethreatthreat.indicator.file.elf.sections.chi2longextendedChi-square probability distribution of the section.
18089.1.0truethreatthreat.indicator.file.elf.sections.entropylongextendedShannon entropy calculation from the section.
18099.1.0truethreatthreat.indicator.file.elf.sections.flagskeywordextendedELF Section List flags.
18109.1.0truethreatthreat.indicator.file.elf.sections.namekeywordextendedELF Section List name.
18119.1.0truethreatthreat.indicator.file.elf.sections.physical_offsetkeywordextendedELF Section List offset.
18129.1.0truethreatthreat.indicator.file.elf.sections.physical_sizelongextendedELF Section List physical size.
18139.1.0truethreatthreat.indicator.file.elf.sections.typekeywordextendedELF Section List type.
18149.1.0truethreatthreat.indicator.file.elf.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
18159.1.0truethreatthreat.indicator.file.elf.sections.virtual_addresslongextendedELF Section List virtual address.
18169.1.0truethreatthreat.indicator.file.elf.sections.virtual_sizelongextendedELF Section List virtual size.
18179.1.0truethreatthreat.indicator.file.elf.segmentsnestedextendedarrayELF object segment list.
18189.1.0truethreatthreat.indicator.file.elf.segments.sectionskeywordextendedELF object segment sections.
18199.1.0truethreatthreat.indicator.file.elf.segments.typekeywordextendedELF object segment type.
18209.1.0truethreatthreat.indicator.file.elf.shared_librarieskeywordextendedarrayList of shared libraries used by this ELF object.
18219.1.0truethreatthreat.indicator.file.elf.telfhashkeywordextendedtelfhash hash for ELF file.
18229.1.0truethreatthreat.indicator.file.extensionkeywordextendedpngFile extension, excluding the leading dot.
18239.1.0truethreatthreat.indicator.file.fork_namekeywordextendedZone.IdentiferA fork is additional data associated with a filesystem object.
18249.1.0truethreatthreat.indicator.file.gidkeywordextended1001Primary group ID (GID) of the file.
18259.1.0truethreatthreat.indicator.file.groupkeywordextendedalicePrimary group name of the file.
18269.1.0truethreatthreat.indicator.file.hash.cdhashkeywordextended3783b4052fd474dbe30676b45c329e7a6d44acd9The Code Directory (CD) hash of an executable.
18279.1.0truethreatthreat.indicator.file.hash.md5keywordextendedMD5 hash.
18289.1.0truethreatthreat.indicator.file.hash.sha1keywordextendedSHA1 hash.
18299.1.0truethreatthreat.indicator.file.hash.sha256keywordextendedSHA256 hash.
18309.1.0truethreatthreat.indicator.file.hash.sha384keywordextendedSHA384 hash.
18319.1.0truethreatthreat.indicator.file.hash.sha512keywordextendedSHA512 hash.
18329.1.0truethreatthreat.indicator.file.hash.ssdeepkeywordextendedSSDEEP hash.
18339.1.0truethreatthreat.indicator.file.hash.tlshkeywordextendedTLSH hash.
18349.1.0truethreatthreat.indicator.file.inodekeywordextended256383Inode representing the file in the filesystem.
18359.1.0truethreatthreat.indicator.file.mime_typekeywordextendedMedia type of file, document, or arrangement of bytes.
18369.1.0truethreatthreat.indicator.file.modekeywordextended0640Mode of the file in octal representation.
18379.1.0truethreatthreat.indicator.file.mtimedateextendedLast time the file content was modified.
18389.1.0truethreatthreat.indicator.file.namekeywordextendedexample.pngName of the file including the extension, without the directory.
18399.1.0truethreatthreat.indicator.file.origin_referrer_urlkeywordextendedhttp://example.com/article1.htmlThe URL of the webpage that linked to the file.
18409.1.0truethreatthreat.indicator.file.origin_urlkeywordextendedhttp://example.com/imgs/article1_img1.jpgThe URL where the file is hosted.
18419.1.0truethreatthreat.indicator.file.ownerkeywordextendedaliceFile owner's username.
18429.1.0truethreatthreat.indicator.file.pathkeywordextended/home/alice/example.pngFull path to the file, including the file name.
18439.1.0truethreatthreat.indicator.file.pe.architecturekeywordextendedx64CPU architecture target for the file.
18449.1.0truethreatthreat.indicator.file.pe.companykeywordextendedMicrosoft CorporationInternal company name of the file, provided at compile-time.
18459.1.0truethreatthreat.indicator.file.pe.descriptionkeywordextendedPaintInternal description of the file, provided at compile-time.
18469.1.0truethreatthreat.indicator.file.pe.file_versionkeywordextended6.3.9600.17415Process name.
18479.1.0truethreatthreat.indicator.file.pe.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in a PE file.
18489.1.0truethreatthreat.indicator.file.pe.go_importsflat_objectextendedList of imported Go language element names and types.
18499.1.0truethreatthreat.indicator.file.pe.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
18509.1.0truethreatthreat.indicator.file.pe.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
18519.1.0truethreatthreat.indicator.file.pe.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
18529.1.0truethreatthreat.indicator.file.pe.imphashkeywordextended0c6803c4e922103c4dca5963aad36ddfA hash of the imports in a PE file.
18539.1.0truethreatthreat.indicator.file.pe.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in a PE file.
18549.1.0truethreatthreat.indicator.file.pe.importsflat_objectextendedarrayList of imported element names and types.
18559.1.0truethreatthreat.indicator.file.pe.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
18569.1.0truethreatthreat.indicator.file.pe.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
18579.1.0truethreatthreat.indicator.file.pe.original_file_namekeywordextendedMSPAINT.EXEInternal name of the file, provided at compile-time.
18589.1.0truethreatthreat.indicator.file.pe.pehashkeywordextended73ff189b63cd6be375a7ff25179a38d347651975A hash of the PE header and data from one or more PE sections.
18599.1.0truethreatthreat.indicator.file.pe.productkeywordextendedMicrosoft® Windows® Operating SystemInternal product name of the file, provided at compile-time.
18609.1.0truethreatthreat.indicator.file.pe.sectionsnestedextendedarraySection information of the PE file.
18619.1.0truethreatthreat.indicator.file.pe.sections.entropylongextendedShannon entropy calculation from the section.
18629.1.0truethreatthreat.indicator.file.pe.sections.namekeywordextendedPE Section List name.
18639.1.0truethreatthreat.indicator.file.pe.sections.physical_sizelongextendedPE Section List physical size.
18649.1.0truethreatthreat.indicator.file.pe.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
18659.1.0truethreatthreat.indicator.file.pe.sections.virtual_sizelongextendedPE Section List virtual size. This is always the same as `physical_size`.
18669.1.0truethreatthreat.indicator.file.sizelongextended16384File size in bytes.
18679.1.0truethreatthreat.indicator.file.target_pathkeywordextendedTarget path for symlinks.
18689.1.0truethreatthreat.indicator.file.typekeywordextendedfileFile type (file, dir, or symlink).
18699.1.0truethreatthreat.indicator.file.uidkeywordextended1001The user ID (UID) or security identifier (SID) of the file owner.
18709.1.0truethreatthreat.indicator.file.x509.alternative_nameskeywordextendedarray*.elastic.coList of subject alternative names (SAN).
18719.1.0truethreatthreat.indicator.file.x509.issuer.common_namekeywordextendedarrayExample SHA2 High Assurance Server CAList of common name (CN) of issuing certificate authority.
18729.1.0truethreatthreat.indicator.file.x509.issuer.countrykeywordextendedarrayUSList of country \(C) codes
18739.1.0truethreatthreat.indicator.file.x509.issuer.distinguished_namekeywordextendedC=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CADistinguished name (DN) of issuing certificate authority.
18749.1.0truethreatthreat.indicator.file.x509.issuer.localitykeywordextendedarrayMountain ViewList of locality names (L)
18759.1.0truethreatthreat.indicator.file.x509.issuer.organizationkeywordextendedarrayExample IncList of organizations (O) of issuing certificate authority.
18769.1.0truethreatthreat.indicator.file.x509.issuer.organizational_unitkeywordextendedarraywww.example.comList of organizational units (OU) of issuing certificate authority.
18779.1.0truethreatthreat.indicator.file.x509.issuer.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
18789.1.0truethreatthreat.indicator.file.x509.not_afterdateextended2020-07-16T03:15:39ZTime at which the certificate is no longer considered valid.
18799.1.0truethreatthreat.indicator.file.x509.not_beforedateextended2019-08-16T01:40:25ZTime at which the certificate is first considered valid.
18809.1.0truethreatthreat.indicator.file.x509.public_key_algorithmkeywordextendedRSAAlgorithm used to generate the public key.
18819.1.0truethreatthreat.indicator.file.x509.public_key_curvekeywordextendednistp521The curve used by the elliptic curve public key algorithm. This is algorithm specific.
18829.1.0falsethreatthreat.indicator.file.x509.public_key_exponentlongextended65537Exponent used to derive the public key. This is algorithm specific.
18839.1.0truethreatthreat.indicator.file.x509.public_key_sizelongextended2048The size of the public key space in bits.
18849.1.0truethreatthreat.indicator.file.x509.serial_numberkeywordextended55FBB9C7DEBF09809D12CCAAUnique serial number issued by the certificate authority.
18859.1.0truethreatthreat.indicator.file.x509.signature_algorithmkeywordextendedSHA256-RSAIdentifier for certificate signature algorithm.
18869.1.0truethreatthreat.indicator.file.x509.subject.common_namekeywordextendedarrayshared.global.example.netList of common names (CN) of subject.
18879.1.0truethreatthreat.indicator.file.x509.subject.countrykeywordextendedarrayUSList of country \(C) code
18889.1.0truethreatthreat.indicator.file.x509.subject.distinguished_namekeywordextendedC=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.netDistinguished name (DN) of the certificate subject entity.
18899.1.0truethreatthreat.indicator.file.x509.subject.localitykeywordextendedarraySan FranciscoList of locality names (L)
18909.1.0truethreatthreat.indicator.file.x509.subject.organizationkeywordextendedarrayExample, Inc.List of organizations (O) of subject.
18919.1.0truethreatthreat.indicator.file.x509.subject.organizational_unitkeywordextendedarrayList of organizational units (OU) of subject.
18929.1.0truethreatthreat.indicator.file.x509.subject.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
18939.1.0truethreatthreat.indicator.file.x509.version_numberkeywordextended3Version of x509 format.
18949.1.0truethreatthreat.indicator.first_seendateextended2020-11-05T17:25:47.000ZDate/time indicator was first reported.
18959.1.0truethreatthreat.indicator.geo.city_namekeywordcoreMontrealCity name.
18969.1.0truethreatthreat.indicator.geo.continent_codekeywordcoreNAContinent code.
18979.1.0truethreatthreat.indicator.geo.continent_namekeywordcoreNorth AmericaName of the continent.
18989.1.0truethreatthreat.indicator.geo.country_iso_codekeywordcoreCACountry ISO code.
18999.1.0truethreatthreat.indicator.geo.country_namekeywordcoreCanadaCountry name.
19009.1.0truethreatthreat.indicator.geo.locationgeo_pointcore{ "lon": -73.614830, "lat": 45.505918 }Longitude and latitude.
19019.1.0truethreatthreat.indicator.geo.namekeywordextendedboston-dcUser-defined description of a location.
19029.1.0truethreatthreat.indicator.geo.postal_codekeywordcore94040Postal code.
19039.1.0truethreatthreat.indicator.geo.region_iso_codekeywordcoreCA-QCRegion ISO code.
19049.1.0truethreatthreat.indicator.geo.region_namekeywordcoreQuebecRegion name.
19059.1.0truethreatthreat.indicator.geo.timezonekeywordcoreAmerica/Argentina/Buenos_AiresTime zone.
19069.1.0truethreatthreat.indicator.idkeywordextendedarray[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]ID of the indicator
19079.1.0truethreatthreat.indicator.ipipextended1.2.3.4Indicator IP address
19089.1.0truethreatthreat.indicator.last_seendateextended2020-11-05T17:25:47.000ZDate/time indicator was last reported.
19099.1.0truethreatthreat.indicator.marking.tlpkeywordextendedCLEARIndicator TLP marking
19109.1.0truethreatthreat.indicator.marking.tlp_versionkeywordextended2.0Indicator TLP version
19119.1.0truethreatthreat.indicator.modified_atdateextended2020-11-05T17:25:47.000ZDate/time indicator was last updated.
19129.1.0truethreatthreat.indicator.namekeywordextended5.2.75.227Indicator display name
19139.1.0truethreatthreat.indicator.portlongextended443Indicator port
19149.1.0truethreatthreat.indicator.providerkeywordextendedlrz_urlhausIndicator provider
19159.1.0truethreatthreat.indicator.referencekeywordextendedhttps://system.example.com/indicator/0001234Indicator reference URL
19169.1.0truethreatthreat.indicator.registry.data.byteskeywordextendedZQBuAC0AVQBTAAAAZQBuAAAAAAA=Original bytes written with base64 encoding.
19179.1.0truethreatthreat.indicator.registry.data.stringskeywordcorearray["C:\rta\red_ttp\bin\myapp.exe"]List of strings representing what was written to the registry.
19189.1.0truethreatthreat.indicator.registry.data.typekeywordcoreREG_SZStandard registry type for encoding contents
19199.1.0truethreatthreat.indicator.registry.hivekeywordcoreHKLMAbbreviated name for the hive.
19209.1.0truethreatthreat.indicator.registry.keykeywordcoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exeHive-relative path of keys.
19219.1.0truethreatthreat.indicator.registry.pathkeywordcoreHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\DebuggerFull path, including hive, key and value
19229.1.0truethreatthreat.indicator.registry.valuekeywordcoreDebuggerName of the value written.
19239.1.0truethreatthreat.indicator.scanner_statslongextended4Scanner statistics
19249.1.0truethreatthreat.indicator.sightingslongextended20Number of times indicator observed
19259.1.0truethreatthreat.indicator.typekeywordextendedipv4-addrType of indicator
19269.1.0truethreatthreat.indicator.url.domainkeywordextendedwww.elastic.coDomain of the url.
19279.1.0truethreatthreat.indicator.url.extensionkeywordextendedpngFile extension from the request url, excluding the leading dot.
19289.1.0truethreatthreat.indicator.url.fragmentkeywordextendedPortion of the url after the `#`.
19299.1.0truethreatthreat.indicator.url.fullkeywordextendedhttps://www.elastic.co:443/search?q=elasticsearch#topFull unparsed URL.
19309.1.0truethreatthreat.indicator.url.originalkeywordextendedhttps://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearchUnmodified original url as seen in the event source.
19319.1.0truethreatthreat.indicator.url.passwordkeywordextendedPassword of the request.
19329.1.0truethreatthreat.indicator.url.pathkeywordextendedPath of the request, such as "/search".
19339.1.0truethreatthreat.indicator.url.portlongextended443Port of the request, such as 443.
19349.1.0truethreatthreat.indicator.url.querykeywordextendedQuery string of the request.
19359.1.0truethreatthreat.indicator.url.registered_domainkeywordextendedexample.comThe highest registered url domain, stripped of the subdomain.
19369.1.0truethreatthreat.indicator.url.schemekeywordextendedhttpsScheme of the url.
19379.1.0truethreatthreat.indicator.url.subdomainkeywordextendedeastThe subdomain of the domain.
19389.1.0truethreatthreat.indicator.url.top_level_domainkeywordextendedco.ukThe effective top level domain (com, org, net, co.uk).
19399.1.0truethreatthreat.indicator.url.usernamekeywordextendedUsername of the request.
19409.1.0truethreatthreat.indicator.x509.alternative_nameskeywordextendedarray*.elastic.coList of subject alternative names (SAN).
19419.1.0truethreatthreat.indicator.x509.issuer.common_namekeywordextendedarrayExample SHA2 High Assurance Server CAList of common name (CN) of issuing certificate authority.
19429.1.0truethreatthreat.indicator.x509.issuer.countrykeywordextendedarrayUSList of country \(C) codes
19439.1.0truethreatthreat.indicator.x509.issuer.distinguished_namekeywordextendedC=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CADistinguished name (DN) of issuing certificate authority.
19449.1.0truethreatthreat.indicator.x509.issuer.localitykeywordextendedarrayMountain ViewList of locality names (L)
19459.1.0truethreatthreat.indicator.x509.issuer.organizationkeywordextendedarrayExample IncList of organizations (O) of issuing certificate authority.
19469.1.0truethreatthreat.indicator.x509.issuer.organizational_unitkeywordextendedarraywww.example.comList of organizational units (OU) of issuing certificate authority.
19479.1.0truethreatthreat.indicator.x509.issuer.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
19489.1.0truethreatthreat.indicator.x509.not_afterdateextended2020-07-16T03:15:39ZTime at which the certificate is no longer considered valid.
19499.1.0truethreatthreat.indicator.x509.not_beforedateextended2019-08-16T01:40:25ZTime at which the certificate is first considered valid.
19509.1.0truethreatthreat.indicator.x509.public_key_algorithmkeywordextendedRSAAlgorithm used to generate the public key.
19519.1.0truethreatthreat.indicator.x509.public_key_curvekeywordextendednistp521The curve used by the elliptic curve public key algorithm. This is algorithm specific.
19529.1.0falsethreatthreat.indicator.x509.public_key_exponentlongextended65537Exponent used to derive the public key. This is algorithm specific.
19539.1.0truethreatthreat.indicator.x509.public_key_sizelongextended2048The size of the public key space in bits.
19549.1.0truethreatthreat.indicator.x509.serial_numberkeywordextended55FBB9C7DEBF09809D12CCAAUnique serial number issued by the certificate authority.
19559.1.0truethreatthreat.indicator.x509.signature_algorithmkeywordextendedSHA256-RSAIdentifier for certificate signature algorithm.
19569.1.0truethreatthreat.indicator.x509.subject.common_namekeywordextendedarrayshared.global.example.netList of common names (CN) of subject.
19579.1.0truethreatthreat.indicator.x509.subject.countrykeywordextendedarrayUSList of country \(C) code
19589.1.0truethreatthreat.indicator.x509.subject.distinguished_namekeywordextendedC=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.netDistinguished name (DN) of the certificate subject entity.
19599.1.0truethreatthreat.indicator.x509.subject.localitykeywordextendedarraySan FranciscoList of locality names (L)
19609.1.0truethreatthreat.indicator.x509.subject.organizationkeywordextendedarrayExample, Inc.List of organizations (O) of subject.
19619.1.0truethreatthreat.indicator.x509.subject.organizational_unitkeywordextendedarrayList of organizational units (OU) of subject.
19629.1.0truethreatthreat.indicator.x509.subject.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
19639.1.0truethreatthreat.indicator.x509.version_numberkeywordextended3Version of x509 format.
19649.1.0truethreatthreat.software.aliaskeywordextendedarray[ "X-Agent" ]Alias of the software
19659.1.0truethreatthreat.software.idkeywordextendedS0552ID of the software
19669.1.0truethreatthreat.software.namekeywordextendedAdFindName of the software.
19679.1.0truethreatthreat.software.platformskeywordextendedarray[ "Windows" ]Platforms of the software.
19689.1.0truethreatthreat.software.referencekeywordextendedhttps://attack.mitre.org/software/S0552/Software reference URL.
19699.1.0truethreatthreat.software.typekeywordextendedToolSoftware type.
19709.1.0truethreatthreat.tactic.idkeywordextendedarrayTA0002Threat tactic id.
19719.1.0truethreatthreat.tactic.namekeywordextendedarrayExecutionThreat tactic.
19729.1.0truethreatthreat.tactic.referencekeywordextendedarrayhttps://attack.mitre.org/tactics/TA0002/Threat tactic URL reference.
19739.1.0truethreatthreat.technique.idkeywordextendedarrayT1059Threat technique id.
19749.1.0truethreatthreat.technique.namekeywordextendedarrayCommand and Scripting InterpreterThreat technique name.
19759.1.0truethreatthreat.technique.referencekeywordextendedarrayhttps://attack.mitre.org/techniques/T1059/Threat technique URL reference.
19769.1.0truethreatthreat.technique.subtechnique.idkeywordextendedarrayT1059.001Threat subtechnique id.
19779.1.0truethreatthreat.technique.subtechnique.namekeywordextendedarrayPowerShellThreat subtechnique name.
19789.1.0truethreatthreat.technique.subtechnique.referencekeywordextendedarrayhttps://attack.mitre.org/techniques/T1059/001/Threat subtechnique URL reference.
19799.1.0truetlstls.cipherkeywordextendedTLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256String indicating the cipher used during the current connection.
19809.1.0truetlstls.client.certificatekeywordextendedMII...PEM-encoded stand-alone certificate offered by the client.
19819.1.0truetlstls.client.certificate_chainkeywordextendedarray["MII...", "MII..."]Array of PEM-encoded certificates that make up the certificate chain offered by the client.
19829.1.0truetlstls.client.hash.md5keywordextended0F76C7F2C55BFD7D8E8B8F4BFBF0C9ECCertificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
19839.1.0truetlstls.client.hash.sha1keywordextended9E393D93138888D288266C2D915214D1D1CCEB2ACertificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
19849.1.0truetlstls.client.hash.sha256keywordextended0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
19859.1.0truetlstls.client.issuerkeywordextendedCN=Example Root CA, OU=Infrastructure Team, DC=example, DC=comDistinguished name of subject of the issuer of the x.509 certificate presented by the client.
19869.1.0truetlstls.client.ja3keywordextendedd4e5b18d6b55c71272893221c96ba240A hash that identifies clients based on how they perform an SSL/TLS handshake.
19879.1.0truetlstls.client.not_afterdateextended2021-01-01T00:00:00.000ZDate/Time indicating when client certificate is no longer considered valid.
19889.1.0truetlstls.client.not_beforedateextended1970-01-01T00:00:00.000ZDate/Time indicating when client certificate is first considered valid.
19899.1.0truetlstls.client.server_namekeywordextendedwww.elastic.coHostname the client is trying to connect to. Also called the SNI.
19909.1.0truetlstls.client.subjectkeywordextendedCN=myclient, OU=Documentation Team, DC=example, DC=comDistinguished name of subject of the x.509 certificate presented by the client.
19919.1.0truetlstls.client.supported_cipherskeywordextendedarray["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]Array of ciphers offered by the client during the client hello.
19929.1.0truetlstls.client.x509.alternative_nameskeywordextendedarray*.elastic.coList of subject alternative names (SAN).
19939.1.0truetlstls.client.x509.issuer.common_namekeywordextendedarrayExample SHA2 High Assurance Server CAList of common name (CN) of issuing certificate authority.
19949.1.0truetlstls.client.x509.issuer.countrykeywordextendedarrayUSList of country \(C) codes
19959.1.0truetlstls.client.x509.issuer.distinguished_namekeywordextendedC=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CADistinguished name (DN) of issuing certificate authority.
19969.1.0truetlstls.client.x509.issuer.localitykeywordextendedarrayMountain ViewList of locality names (L)
19979.1.0truetlstls.client.x509.issuer.organizationkeywordextendedarrayExample IncList of organizations (O) of issuing certificate authority.
19989.1.0truetlstls.client.x509.issuer.organizational_unitkeywordextendedarraywww.example.comList of organizational units (OU) of issuing certificate authority.
19999.1.0truetlstls.client.x509.issuer.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
20009.1.0truetlstls.client.x509.not_afterdateextended2020-07-16T03:15:39ZTime at which the certificate is no longer considered valid.
20019.1.0truetlstls.client.x509.not_beforedateextended2019-08-16T01:40:25ZTime at which the certificate is first considered valid.
20029.1.0truetlstls.client.x509.public_key_algorithmkeywordextendedRSAAlgorithm used to generate the public key.
20039.1.0truetlstls.client.x509.public_key_curvekeywordextendednistp521The curve used by the elliptic curve public key algorithm. This is algorithm specific.
20049.1.0falsetlstls.client.x509.public_key_exponentlongextended65537Exponent used to derive the public key. This is algorithm specific.
20059.1.0truetlstls.client.x509.public_key_sizelongextended2048The size of the public key space in bits.
20069.1.0truetlstls.client.x509.serial_numberkeywordextended55FBB9C7DEBF09809D12CCAAUnique serial number issued by the certificate authority.
20079.1.0truetlstls.client.x509.signature_algorithmkeywordextendedSHA256-RSAIdentifier for certificate signature algorithm.
20089.1.0truetlstls.client.x509.subject.common_namekeywordextendedarrayshared.global.example.netList of common names (CN) of subject.
20099.1.0truetlstls.client.x509.subject.countrykeywordextendedarrayUSList of country \(C) code
20109.1.0truetlstls.client.x509.subject.distinguished_namekeywordextendedC=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.netDistinguished name (DN) of the certificate subject entity.
20119.1.0truetlstls.client.x509.subject.localitykeywordextendedarraySan FranciscoList of locality names (L)
20129.1.0truetlstls.client.x509.subject.organizationkeywordextendedarrayExample, Inc.List of organizations (O) of subject.
20139.1.0truetlstls.client.x509.subject.organizational_unitkeywordextendedarrayList of organizational units (OU) of subject.
20149.1.0truetlstls.client.x509.subject.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
20159.1.0truetlstls.client.x509.version_numberkeywordextended3Version of x509 format.
20169.1.0truetlstls.curvekeywordextendedsecp256r1String indicating the curve used for the given cipher, when applicable.
20179.1.0truetlstls.establishedbooleanextendedBoolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
20189.1.0truetlstls.next_protocolkeywordextendedhttp/1.1String indicating the protocol being tunneled.
20199.1.0truetlstls.resumedbooleanextendedBoolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
20209.1.0truetlstls.server.certificatekeywordextendedMII...PEM-encoded stand-alone certificate offered by the server.
20219.1.0truetlstls.server.certificate_chainkeywordextendedarray["MII...", "MII..."]Array of PEM-encoded certificates that make up the certificate chain offered by the server.
20229.1.0truetlstls.server.hash.md5keywordextended0F76C7F2C55BFD7D8E8B8F4BFBF0C9ECCertificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
20239.1.0truetlstls.server.hash.sha1keywordextended9E393D93138888D288266C2D915214D1D1CCEB2ACertificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
20249.1.0truetlstls.server.hash.sha256keywordextended0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
20259.1.0truetlstls.server.issuerkeywordextendedCN=Example Root CA, OU=Infrastructure Team, DC=example, DC=comSubject of the issuer of the x.509 certificate presented by the server.
20269.1.0truetlstls.server.ja3skeywordextended394441ab65754e2207b1e1b457b3641dA hash that identifies servers based on how they perform an SSL/TLS handshake.
20279.1.0truetlstls.server.not_afterdateextended2021-01-01T00:00:00.000ZTimestamp indicating when server certificate is no longer considered valid.
20289.1.0truetlstls.server.not_beforedateextended1970-01-01T00:00:00.000ZTimestamp indicating when server certificate is first considered valid.
20299.1.0truetlstls.server.subjectkeywordextendedCN=www.example.com, OU=Infrastructure Team, DC=example, DC=comSubject of the x.509 certificate presented by the server.
20309.1.0truetlstls.server.x509.alternative_nameskeywordextendedarray*.elastic.coList of subject alternative names (SAN).
20319.1.0truetlstls.server.x509.issuer.common_namekeywordextendedarrayExample SHA2 High Assurance Server CAList of common name (CN) of issuing certificate authority.
20329.1.0truetlstls.server.x509.issuer.countrykeywordextendedarrayUSList of country \(C) codes
20339.1.0truetlstls.server.x509.issuer.distinguished_namekeywordextendedC=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CADistinguished name (DN) of issuing certificate authority.
20349.1.0truetlstls.server.x509.issuer.localitykeywordextendedarrayMountain ViewList of locality names (L)
20359.1.0truetlstls.server.x509.issuer.organizationkeywordextendedarrayExample IncList of organizations (O) of issuing certificate authority.
20369.1.0truetlstls.server.x509.issuer.organizational_unitkeywordextendedarraywww.example.comList of organizational units (OU) of issuing certificate authority.
20379.1.0truetlstls.server.x509.issuer.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
20389.1.0truetlstls.server.x509.not_afterdateextended2020-07-16T03:15:39ZTime at which the certificate is no longer considered valid.
20399.1.0truetlstls.server.x509.not_beforedateextended2019-08-16T01:40:25ZTime at which the certificate is first considered valid.
20409.1.0truetlstls.server.x509.public_key_algorithmkeywordextendedRSAAlgorithm used to generate the public key.
20419.1.0truetlstls.server.x509.public_key_curvekeywordextendednistp521The curve used by the elliptic curve public key algorithm. This is algorithm specific.
20429.1.0falsetlstls.server.x509.public_key_exponentlongextended65537Exponent used to derive the public key. This is algorithm specific.
20439.1.0truetlstls.server.x509.public_key_sizelongextended2048The size of the public key space in bits.
20449.1.0truetlstls.server.x509.serial_numberkeywordextended55FBB9C7DEBF09809D12CCAAUnique serial number issued by the certificate authority.
20459.1.0truetlstls.server.x509.signature_algorithmkeywordextendedSHA256-RSAIdentifier for certificate signature algorithm.
20469.1.0truetlstls.server.x509.subject.common_namekeywordextendedarrayshared.global.example.netList of common names (CN) of subject.
20479.1.0truetlstls.server.x509.subject.countrykeywordextendedarrayUSList of country \(C) code
20489.1.0truetlstls.server.x509.subject.distinguished_namekeywordextendedC=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.netDistinguished name (DN) of the certificate subject entity.
20499.1.0truetlstls.server.x509.subject.localitykeywordextendedarraySan FranciscoList of locality names (L)
20509.1.0truetlstls.server.x509.subject.organizationkeywordextendedarrayExample, Inc.List of organizations (O) of subject.
20519.1.0truetlstls.server.x509.subject.organizational_unitkeywordextendedarrayList of organizational units (OU) of subject.
20529.1.0truetlstls.server.x509.subject.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
20539.1.0truetlstls.server.x509.version_numberkeywordextended3Version of x509 format.
20549.1.0truetlstls.versionkeywordextended1.2Numeric part of the version parsed from the original string.
20559.1.0truetlstls.version_protocolkeywordextendedtlsNormalized lowercase protocol name parsed from original string.
20569.1.0truetracetrace.idkeywordextended4bf92f3577b34da6a3ce929d0e0e4736Unique identifier of the trace.
20579.1.0truetransactiontransaction.idkeywordextended00f067aa0ba902b7Unique identifier of the transaction within the scope of its trace.
20589.1.0trueurlurl.domainkeywordextendedwww.elastic.coDomain of the url.
20599.1.0trueurlurl.extensionkeywordextendedpngFile extension from the request url, excluding the leading dot.
20609.1.0trueurlurl.fragmentkeywordextendedPortion of the url after the `#`.
20619.1.0trueurlurl.fullkeywordextendedhttps://www.elastic.co:443/search?q=elasticsearch#topFull unparsed URL.
20629.1.0trueurlurl.originalkeywordextendedhttps://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearchUnmodified original url as seen in the event source.
20639.1.0trueurlurl.passwordkeywordextendedPassword of the request.
20649.1.0trueurlurl.pathkeywordextendedPath of the request, such as "/search".
20659.1.0trueurlurl.portlongextended443Port of the request, such as 443.
20669.1.0trueurlurl.querykeywordextendedQuery string of the request.
20679.1.0trueurlurl.registered_domainkeywordextendedexample.comThe highest registered url domain, stripped of the subdomain.
20689.1.0trueurlurl.schemekeywordextendedhttpsScheme of the url.
20699.1.0trueurlurl.subdomainkeywordextendedeastThe subdomain of the domain.
20709.1.0trueurlurl.top_level_domainkeywordextendedco.ukThe effective top level domain (com, org, net, co.uk).
20719.1.0trueurlurl.usernamekeywordextendedUsername of the request.
20729.1.0trueuseruser.changes.domainkeywordextendedName of the directory the user is a member of.
20739.1.0trueuseruser.changes.emailkeywordextendedUser email address.
20749.1.0trueuseruser.changes.full_namekeywordextendedAlbert EinsteinUser's full name, if available.
20759.1.0trueuseruser.changes.group.domainkeywordextendedName of the directory the group is a member of.
20769.1.0trueuseruser.changes.group.idkeywordextendedUnique identifier for the group on the system/platform.
20779.1.0trueuseruser.changes.group.namekeywordextendedName of the group.
20789.1.0trueuseruser.changes.hashkeywordextendedUnique user hash to correlate information for a user in anonymized form.
20799.1.0trueuseruser.changes.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
20809.1.0trueuseruser.changes.namekeywordcorea.einsteinShort name or login of the user.
20819.1.0trueuseruser.changes.roleskeywordextendedarray["kibana_admin", "reporting_user"]Array of user roles at the time of the event.
20829.1.0trueuseruser.domainkeywordextendedName of the directory the user is a member of.
20839.1.0trueuseruser.effective.domainkeywordextendedName of the directory the user is a member of.
20849.1.0trueuseruser.effective.emailkeywordextendedUser email address.
20859.1.0trueuseruser.effective.full_namekeywordextendedAlbert EinsteinUser's full name, if available.
20869.1.0trueuseruser.effective.group.domainkeywordextendedName of the directory the group is a member of.
20879.1.0trueuseruser.effective.group.idkeywordextendedUnique identifier for the group on the system/platform.
20889.1.0trueuseruser.effective.group.namekeywordextendedName of the group.
20899.1.0trueuseruser.effective.hashkeywordextendedUnique user hash to correlate information for a user in anonymized form.
20909.1.0trueuseruser.effective.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
20919.1.0trueuseruser.effective.namekeywordcorea.einsteinShort name or login of the user.
20929.1.0trueuseruser.effective.roleskeywordextendedarray["kibana_admin", "reporting_user"]Array of user roles at the time of the event.
20939.1.0trueuseruser.emailkeywordextendedUser email address.
20949.1.0trueuseruser.full_namekeywordextendedAlbert EinsteinUser's full name, if available.
20959.1.0trueuseruser.group.domainkeywordextendedName of the directory the group is a member of.
20969.1.0trueuseruser.group.idkeywordextendedUnique identifier for the group on the system/platform.
20979.1.0trueuseruser.group.namekeywordextendedName of the group.
20989.1.0trueuseruser.hashkeywordextendedUnique user hash to correlate information for a user in anonymized form.
20999.1.0trueuseruser.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
21009.1.0trueuseruser.namekeywordcorea.einsteinShort name or login of the user.
21019.1.0trueuseruser.risk.calculated_levelkeywordextendedHighA risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
21029.1.0trueuseruser.risk.calculated_scorefloatextended880.73A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
21039.1.0trueuseruser.risk.calculated_score_normfloatextended88.73A normalized risk score calculated by an internal system.
21049.1.0trueuseruser.risk.static_levelkeywordextendedHighA risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.
21059.1.0trueuseruser.risk.static_scorefloatextended830.0A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.
21069.1.0trueuseruser.risk.static_score_normfloatextended83.0A normalized risk score calculated by an external system.
21079.1.0trueuseruser.roleskeywordextendedarray["kibana_admin", "reporting_user"]Array of user roles at the time of the event.
21089.1.0trueuseruser.target.domainkeywordextendedName of the directory the user is a member of.
21099.1.0trueuseruser.target.emailkeywordextendedUser email address.
21109.1.0trueuseruser.target.full_namekeywordextendedAlbert EinsteinUser's full name, if available.
21119.1.0trueuseruser.target.group.domainkeywordextendedName of the directory the group is a member of.
21129.1.0trueuseruser.target.group.idkeywordextendedUnique identifier for the group on the system/platform.
21139.1.0trueuseruser.target.group.namekeywordextendedName of the group.
21149.1.0trueuseruser.target.hashkeywordextendedUnique user hash to correlate information for a user in anonymized form.
21159.1.0trueuseruser.target.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
21169.1.0trueuseruser.target.namekeywordcorea.einsteinShort name or login of the user.
21179.1.0trueuseruser.target.roleskeywordextendedarray["kibana_admin", "reporting_user"]Array of user roles at the time of the event.
21189.1.0trueuser_agentuser_agent.device.namekeywordextendediPhoneName of the device.
21199.1.0trueuser_agentuser_agent.namekeywordextendedSafariName of the user agent.
21209.1.0trueuser_agentuser_agent.originalkeywordextendedMozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1Unparsed user_agent string.
21219.1.0trueuser_agentuser_agent.os.familykeywordextendeddebianOS family (such as redhat, debian, freebsd, windows).
21229.1.0trueuser_agentuser_agent.os.fullkeywordextendedMac OS MojaveOperating system name, including the version or code name.
21239.1.0trueuser_agentuser_agent.os.kernelkeywordextended4.4.0-112-genericOperating system kernel version as a raw string.
21249.1.0trueuser_agentuser_agent.os.namekeywordextendedMac OS XOperating system name, without the version.
21259.1.0trueuser_agentuser_agent.os.platformkeywordextendeddarwinOperating system platform (such centos, ubuntu, windows).
21269.1.0trueuser_agentuser_agent.os.typekeywordextendedmacosWhich commercial OS family (one of: linux, macos, unix, windows, ios or android).
21279.1.0trueuser_agentuser_agent.os.versionkeywordextended10.14.1Operating system version as a raw string.
21289.1.0trueuser_agentuser_agent.versionkeywordextended12.0Version of the user agent.
21299.1.0truevolumevolume.bus_typekeywordextendedFileBackedVirtualBus type of the device.
21309.1.0truevolumevolume.default_accesskeywordextendedBus type of the device.
21319.1.0truevolumevolume.device_namekeywordextendedDevice name of the volume.
21329.1.0truevolumevolume.device_typekeywordextendedCD-ROM File SystemVolume device type.
21339.1.0truevolumevolume.dos_namekeywordextendedE:DOS name of the device.
21349.1.0truevolumevolume.file_system_typekeywordextendedVolume device file system type.
21359.1.0truevolumevolume.mount_namekeywordextendedMount name of the volume.
21369.1.0truevolumevolume.nt_namekeywordextended\Device\Cdrom1NT name of the device.
21379.1.0truevolumevolume.product_idkeywordextendedProductID of the device.
21389.1.0truevolumevolume.product_namekeywordextendedVirtual DVD-ROMProduce name of the volume.
21399.1.0truevolumevolume.removablebooleanextendedIndicates if the volume is removable.
21409.1.0truevolumevolume.serial_numberkeywordextendedSerial number of the device.
21419.1.0truevolumevolume.sizelongextendedSize of the volume device in bytes.
21429.1.0truevolumevolume.vendor_idkeywordextendedVendorID of the device.
21439.1.0truevolumevolume.vendor_namekeywordextendedMsftVendor name of the device.
21449.1.0truevolumevolume.writablebooleanextendedIndicates if the volume is writable.
21459.1.0truevulnerabilityvulnerability.categorykeywordextendedarray["Firewall"]Category of a vulnerability.
21469.1.0truevulnerabilityvulnerability.classificationkeywordextendedCVSSClassification of the vulnerability.
21479.1.0truevulnerabilityvulnerability.descriptionkeywordextendedIn macOS before 2.12.6, there is a vulnerability in the RPC...Description of the vulnerability.
21489.1.0truevulnerabilityvulnerability.enumerationkeywordextendedCVEIdentifier of the vulnerability.
21499.1.0truevulnerabilityvulnerability.idkeywordextendedCVE-2019-00001ID of the vulnerability.
21509.1.0truevulnerabilityvulnerability.referencekeywordextendedhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111Reference of the vulnerability.
21519.1.0truevulnerabilityvulnerability.report_idkeywordextended20191018.0001Scan identification number.
21529.1.0truevulnerabilityvulnerability.scanner.referencekeywordcustomhttps://www.example.com/vulnerability/12345Scanner's resource that provides additional information, context, and mitigations for the identified vulnerability.
21539.1.0truevulnerabilityvulnerability.scanner.vendorkeywordextendedTenableName of the scanner vendor.
21549.1.0truevulnerabilityvulnerability.score.basefloatextended5.5Vulnerability Base score.
21559.1.0truevulnerabilityvulnerability.score.environmentalfloatextended5.5Vulnerability Environmental score.
21569.1.0truevulnerabilityvulnerability.score.temporalfloatextendedVulnerability Temporal score.
21579.1.0truevulnerabilityvulnerability.score.versionkeywordextended2.0CVSS version.
21589.1.0truevulnerabilityvulnerability.severitykeywordextendedCriticalSeverity of the vulnerability.
21599.1.0truewazuhwazuh.cluster.namekeywordcustomwazuh-cluster-1Wazuh cluster name.
21609.1.0truewazuhwazuh.cluster.nodekeywordcustomwazuh-cluster-node-1Wazuh cluster node name.
21619.1.0truewazuhwazuh.integration.categorykeywordcustomsecurityWazuh integration category.
21629.1.0truewazuhwazuh.integration.decoderskeywordcustomarray["json", "syslog"]List of Wazuh decoders applied to the event.
21639.1.0truewazuhwazuh.integration.namekeywordcustomCisco AironetName of the Wazuh integration.
21649.1.0truewazuhwazuh.integration.ruleskeywordcustomarray["1002", "2003"]List of Wazuh rules applied to the event.
21659.1.0truewazuhwazuh.protocol.locationkeywordcustom/var/log/auth.logSource of the log as retrieved by the Wazuh Agent.
21669.1.0truewazuhwazuh.protocol.queuebytecustom1Ingestion queue for the log.
21679.1.0truewazuhwazuh.schema.versionkeywordcustom1.7.0Wazuh schema version.