wazuh/wazuh-indexer-plugins
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-indexer-plugins.git synced 2025-12-11 02:29:20 -06:00
Code Issues Packages Projects Releases Wiki Activity
wazuh-indexer-plugins/ecs/stateless/docs/fields.csv
Álex Ruiz Becerra c26e75f505
Add index definition for stateless indices (#554) 
* Add index definition for stateless indices

Backported from 6.0.0

* Add module to the the automation list

Extend event generator with SCA stuff

* Force automation run

* Revert

* Update ECS templates for modified modules: stateless

* Add back ISM settings and automate the creation of the index template for the wazuh-archives indices

* Update ECS templates for modified modules: stateless

* Update script

* Trigger automation

* Update ECS templates for modified modules: stateless

* Fix output path for the generated archives template

* Update ECS templates for modified modules: stateless

* Increase mappings limit

* Add trailing new lines

---------

Co-authored-by: Wazuh Indexer Bot <github_devel_xdrsiem_indexer@wazuh.com>
2025-08-19 09:59:27 +02:00

214 KiB
Raw Blame History

1ECS_VersionIndexedField_SetFieldTypeLevelNormalizationExampleDescription
28.11.0truebase@timestampdatecore2016-05-23T08:05:34.853ZDate/time when the event originated.
38.11.0truebaselabelsobjectcore{"application": "foo-bar", "env": "production"}Custom key/value pairs.
48.11.0truebasemessagekeywordcoreHello WorldLog message optimized for viewing in a log viewer.
58.11.0truebasetagskeywordcorearray["production", "env2"]List of keywords used to tag each event.
68.11.0trueagentagent.build.originalkeywordcoremetricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]Extended build information for the agent.
78.11.0trueagentagent.ephemeral_idkeywordextended8a4f500fEphemeral identifier of this agent.
88.11.0trueagentagent.groupskeywordcustomarray["group1", "group2"]List of groups the agent belongs to.
98.11.0trueagentagent.host.architecturekeywordcorex86_64Operating system architecture.
108.11.0trueagentagent.host.boot.idkeywordextended88a1f0ed-5ae5-41ee-af6b-41921c311872Linux boot uuid taken from /proc/sys/kernel/random/boot_id
118.11.0trueagentagent.host.cpuobjectcustom"name": "Intel(R) Core(TM) i7-7700HQ CPU", "cores": 4, "speed": 2800CPU-related data.
128.11.0trueagentagent.host.cpu.coreslongcustom4Number of CPU cores.
138.11.0trueagentagent.host.cpu.namekeywordcustomIntel(R) Core(TM) i7-7700HQ CPUCPU Model name.
148.11.0trueagentagent.host.cpu.speedlongcustom2800CPU clock speed.
158.11.0trueagentagent.host.cpu.usagescaled_floatextendedPercent CPU used, between 0 and 1.
168.11.0trueagentagent.host.disk.read.byteslongextendedThe number of bytes read by all disks.
178.11.0trueagentagent.host.disk.write.byteslongextendedThe number of bytes written on all disks.
188.11.0trueagentagent.host.domainkeywordextendedCONTOSOName of the directory the group is a member of.
198.11.0trueagentagent.host.geo.city_namekeywordcoreMontrealCity name.
208.11.0trueagentagent.host.geo.continent_codekeywordcoreNAContinent code.
218.11.0trueagentagent.host.geo.continent_namekeywordcoreNorth AmericaName of the continent.
228.11.0trueagentagent.host.geo.country_iso_codekeywordcoreCACountry ISO code.
238.11.0trueagentagent.host.geo.country_namekeywordcoreCanadaCountry name.
248.11.0trueagentagent.host.geo.locationgeo_pointcore{ "lon": -73.614830, "lat": 45.505918 }Longitude and latitude.
258.11.0trueagentagent.host.geo.namekeywordextendedboston-dcUser-defined description of a location.
268.11.0trueagentagent.host.geo.postal_codekeywordcore94040Postal code.
278.11.0trueagentagent.host.geo.region_iso_codekeywordcoreCA-QCRegion ISO code.
288.11.0trueagentagent.host.geo.region_namekeywordcoreQuebecRegion name.
298.11.0trueagentagent.host.geo.timezonekeywordcoreAmerica/Argentina/Buenos_AiresTime zone.
308.11.0trueagentagent.host.hostnamekeywordcoreHostname of the host.
318.11.0trueagentagent.host.idkeywordcoreUnique host id.
328.11.0trueagentagent.host.ipipcorearrayHost ip addresses.
338.11.0trueagentagent.host.mackeywordcorearray["00-00-5E-00-53-23", "00-00-5E-00-53-24"]Host MAC addresses.
348.11.0trueagentagent.host.memoryobjectcustom"total": 100000, "free": 90000, "used": {"percentage": 10}Memory-related data.
358.11.0trueagentagent.host.memory.freelongcustom1024Free memory in MB.
368.11.0trueagentagent.host.memory.totallongcustom1024Total memory in MB.
378.11.0trueagentagent.host.memory.usedobjectcustom"percentage": 10Used memory-related data.
388.11.0trueagentagent.host.memory.used.percentagelongcustom10Used memory percentage.
398.11.0trueagentagent.host.namekeywordcoreName of the host.
408.11.0trueagentagent.host.network.egress.byteslongextendedThe number of bytes sent on all network interfaces.
418.11.0trueagentagent.host.network.egress.dropslongcustom10Number of dropped transmitted packets.
428.11.0trueagentagent.host.network.egress.errorslongcustom10Number of transmission errors.
438.11.0trueagentagent.host.network.egress.packetslongextendedThe number of packets sent on all network interfaces.
448.11.0trueagentagent.host.network.egress.queuelongcustom10Transmit queue length.
458.11.0trueagentagent.host.network.ingress.byteslongextendedThe number of bytes received on all network interfaces.
468.11.0trueagentagent.host.network.ingress.dropslongcustom10Number of dropped received packets.
478.11.0trueagentagent.host.network.ingress.errorslongcustom10Number of reception errors.
488.11.0trueagentagent.host.network.ingress.packetslongextendedThe number of packets received on all network interfaces.
498.11.0trueagentagent.host.network.ingress.queuelongcustom10Receive queue length.
508.11.0trueagentagent.host.os.familykeywordextendeddebianOS family (such as redhat, debian, freebsd, windows).
518.11.0trueagentagent.host.os.fullkeywordextendedMac OS MojaveOperating system name, including the version or code name.
528.11.0trueagentagent.host.os.full.textkeywordextendedMac OS MojaveOperating system name, including the version or code name.
538.11.0trueagentagent.host.os.kernelkeywordextended4.4.0-112-genericOperating system kernel version as a raw string.
548.11.0trueagentagent.host.os.namekeywordextendedMac OS XOperating system name, without the version.
558.11.0trueagentagent.host.os.name.textkeywordextendedMac OS XOperating system name, without the version.
568.11.0trueagentagent.host.os.platformkeywordextendeddarwinOperating system platform (such centos, ubuntu, windows).
578.11.0trueagentagent.host.os.typekeywordextendedmacosWhich commercial OS family (one of: linux, macos, unix, windows, ios or android).
588.11.0trueagentagent.host.os.versionkeywordextended10.14.1Operating system version as a raw string.
598.11.0trueagentagent.host.pid_ns_inokeywordextended256383Pid namespace inode
608.11.0trueagentagent.host.risk.calculated_levelkeywordextendedHighA risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
618.11.0trueagentagent.host.risk.calculated_scorefloatextended880.73A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
628.11.0trueagentagent.host.risk.calculated_score_normfloatextended88.73A normalized risk score calculated by an internal system.
638.11.0trueagentagent.host.risk.static_levelkeywordextendedHighA risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.
648.11.0trueagentagent.host.risk.static_scorefloatextended830.0A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.
658.11.0trueagentagent.host.risk.static_score_normfloatextended83.0A normalized risk score calculated by an external system.
668.11.0trueagentagent.host.typekeywordcoreType of host.
678.11.0trueagentagent.host.uptimelongextended1325Seconds the host has been up.
688.11.0trueagentagent.idkeywordcore8a4f500dUnique identifier of this agent.
698.11.0trueagentagent.namekeywordcorefooCustom name of the agent.
708.11.0trueagentagent.typekeywordcorefilebeatType of the agent.
718.11.0trueagentagent.versionkeywordcore6.0.0-rc2Version of the agent.
728.11.0truecheckcheck.compliancekeywordcustomarray["cis:1.1.1","cis_csc:5.2"]CIS compliance standard.
738.11.0truecheckcheck.conditionkeywordcustomallRelationship between the rules.
748.11.0truecheckcheck.descriptionkeywordcustom"The password history setting determines the number of unique new passwords a user must use before an old password can be reused."Extended description of the check.
758.11.0truecheckcheck.idkeywordcustom26000The ID of the SCA policy check.
768.11.0truecheckcheck.namekeywordcustomEnsure 'Enforce password history' is set to '24 or more password(s)'.The name of the SCA policy check.
778.11.0truecheckcheck.rationalekeywordcustom"The longer a user uses the same password, the more likely it is that the password will be compromised."The reason for the check. Why it is important.
788.11.0truecheckcheck.reasonkeywordcustom"The password history setting is not set to 24 or more password(s)."Reason for the check result.
798.11.0truecheckcheck.referenceskeywordcustomarray["https://workbench.cisecurity.org"]References for the check.
808.11.0truecheckcheck.remediationkeywordcustom"To establish the recommended configuration, set the following registry value to 24 or more password(s):"Actions to take to remediate the check.
818.11.0truecheckcheck.resultkeywordcustomfailedResult of the check.
828.11.0truecheckcheck.ruleskeywordcustomarray"[\"c:net.exe accounts -> n:Maximum password age \(days\):\s+(\d+) compare > 0\"," > "\"c:net.exe accounts -> n:Length of password history maintained:\s+(\d+) compare >= 24\"]"Rules to be evaluated.
838.11.0trueclientclient.addresskeywordextendedClient network address.
848.11.0trueclientclient.as.numberlongextended15169Unique number allocated to the autonomous system.
858.11.0trueclientclient.as.organization.namekeywordextendedGoogle LLCOrganization name.
868.11.0trueclientclient.as.organization.name.textkeywordextendedGoogle LLCOrganization name.
878.11.0trueclientclient.byteslongcore184Bytes sent from the client to the server.
888.11.0trueclientclient.domainkeywordcorefoo.example.comThe domain name of the client.
898.11.0trueclientclient.geo.city_namekeywordcoreMontrealCity name.
908.11.0trueclientclient.geo.continent_codekeywordcoreNAContinent code.
918.11.0trueclientclient.geo.continent_namekeywordcoreNorth AmericaName of the continent.
928.11.0trueclientclient.geo.country_iso_codekeywordcoreCACountry ISO code.
938.11.0trueclientclient.geo.country_namekeywordcoreCanadaCountry name.
948.11.0trueclientclient.geo.locationgeo_pointcore{ "lon": -73.614830, "lat": 45.505918 }Longitude and latitude.
958.11.0trueclientclient.geo.namekeywordextendedboston-dcUser-defined description of a location.
968.11.0trueclientclient.geo.postal_codekeywordcore94040Postal code.
978.11.0trueclientclient.geo.region_iso_codekeywordcoreCA-QCRegion ISO code.
988.11.0trueclientclient.geo.region_namekeywordcoreQuebecRegion name.
998.11.0trueclientclient.geo.timezonekeywordcoreAmerica/Argentina/Buenos_AiresTime zone.
1008.11.0trueclientclient.ipipcoreIP address of the client.
1018.11.0trueclientclient.mackeywordcore00-00-5E-00-53-23MAC address of the client.
1028.11.0trueclientclient.nat.ipipextendedClient NAT ip address
1038.11.0trueclientclient.nat.portlongextendedClient NAT port
1048.11.0trueclientclient.packetslongcore12Packets sent from the client to the server.
1058.11.0trueclientclient.portlongcorePort of the client.
1068.11.0trueclientclient.registered_domainkeywordextendedexample.comThe highest registered client domain, stripped of the subdomain.
1078.11.0trueclientclient.subdomainkeywordextendedeastThe subdomain of the domain.
1088.11.0trueclientclient.top_level_domainkeywordextendedco.ukThe effective top level domain (com, org, net, co.uk).
1098.11.0trueclientclient.user.domainkeywordextendedName of the directory the user is a member of.
1108.11.0trueclientclient.user.emailkeywordextendedUser email address.
1118.11.0trueclientclient.user.full_namekeywordextendedAlbert EinsteinUser's full name, if available.
1128.11.0trueclientclient.user.full_name.textkeywordextendedAlbert EinsteinUser's full name, if available.
1138.11.0trueclientclient.user.group.domainkeywordextendedName of the directory the group is a member of.
1148.11.0trueclientclient.user.group.idkeywordextendedUnique identifier for the group on the system/platform.
1158.11.0trueclientclient.user.group.namekeywordextendedName of the group.
1168.11.0trueclientclient.user.hashkeywordextendedUnique user hash to correlate information for a user in anonymized form.
1178.11.0trueclientclient.user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
1188.11.0trueclientclient.user.namekeywordcorea.einsteinShort name or login of the user.
1198.11.0trueclientclient.user.name.textkeywordcorea.einsteinShort name or login of the user.
1208.11.0trueclientclient.user.roleskeywordextendedarray["kibana_admin", "reporting_user"]Array of user roles at the time of the event.
1218.11.0truecloudcloud.account.idkeywordextended666777888999The cloud account or organization id.
1228.11.0truecloudcloud.account.namekeywordextendedelastic-devThe cloud account name.
1238.11.0truecloudcloud.availability_zonekeywordextendedus-east-1cAvailability zone in which this host, resource, or service is located.
1248.11.0truecloudcloud.instance.idkeywordextendedi-1234567890abcdef0Instance ID of the host machine.
1258.11.0truecloudcloud.instance.namekeywordextendedInstance name of the host machine.
1268.11.0truecloudcloud.machine.typekeywordextendedt2.mediumMachine type of the host machine.
1278.11.0truecloudcloud.origin.account.idkeywordextended666777888999The cloud account or organization id.
1288.11.0truecloudcloud.origin.account.namekeywordextendedelastic-devThe cloud account name.
1298.11.0truecloudcloud.origin.availability_zonekeywordextendedus-east-1cAvailability zone in which this host, resource, or service is located.
1308.11.0truecloudcloud.origin.instance.idkeywordextendedi-1234567890abcdef0Instance ID of the host machine.
1318.11.0truecloudcloud.origin.instance.namekeywordextendedInstance name of the host machine.
1328.11.0truecloudcloud.origin.machine.typekeywordextendedt2.mediumMachine type of the host machine.
1338.11.0truecloudcloud.origin.project.idkeywordextendedmy-projectThe cloud project id.
1348.11.0truecloudcloud.origin.project.namekeywordextendedmy projectThe cloud project name.
1358.11.0truecloudcloud.origin.providerkeywordextendedawsName of the cloud provider.
1368.11.0truecloudcloud.origin.regionkeywordextendedus-east-1Region in which this host, resource, or service is located.
1378.11.0truecloudcloud.origin.service.namekeywordextendedlambdaThe cloud service name.
1388.11.0truecloudcloud.project.idkeywordextendedmy-projectThe cloud project id.
1398.11.0truecloudcloud.project.namekeywordextendedmy projectThe cloud project name.
1408.11.0truecloudcloud.providerkeywordextendedawsName of the cloud provider.
1418.11.0truecloudcloud.regionkeywordextendedus-east-1Region in which this host, resource, or service is located.
1428.11.0truecloudcloud.service.namekeywordextendedlambdaThe cloud service name.
1438.11.0truecloudcloud.target.account.idkeywordextended666777888999The cloud account or organization id.
1448.11.0truecloudcloud.target.account.namekeywordextendedelastic-devThe cloud account name.
1458.11.0truecloudcloud.target.availability_zonekeywordextendedus-east-1cAvailability zone in which this host, resource, or service is located.
1468.11.0truecloudcloud.target.instance.idkeywordextendedi-1234567890abcdef0Instance ID of the host machine.
1478.11.0truecloudcloud.target.instance.namekeywordextendedInstance name of the host machine.
1488.11.0truecloudcloud.target.machine.typekeywordextendedt2.mediumMachine type of the host machine.
1498.11.0truecloudcloud.target.project.idkeywordextendedmy-projectThe cloud project id.
1508.11.0truecloudcloud.target.project.namekeywordextendedmy projectThe cloud project name.
1518.11.0truecloudcloud.target.providerkeywordextendedawsName of the cloud provider.
1528.11.0truecloudcloud.target.regionkeywordextendedus-east-1Region in which this host, resource, or service is located.
1538.11.0truecloudcloud.target.service.namekeywordextendedlambdaThe cloud service name.
1548.11.0truecontainercontainer.cpu.usagescaled_floatextendedPercent CPU used, between 0 and 1.
1558.11.0truecontainercontainer.disk.read.byteslongextendedThe number of bytes read by all disks.
1568.11.0truecontainercontainer.disk.write.byteslongextendedThe number of bytes written on all disks.
1578.11.0truecontainercontainer.idkeywordcoreUnique container id.
1588.11.0truecontainercontainer.image.hash.allkeywordextendedarray[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26]An array of digests of the image the container was built on.
1598.11.0truecontainercontainer.image.namekeywordextendedName of the image the container was built on.
1608.11.0truecontainercontainer.image.tagkeywordextendedarrayContainer image tags.
1618.11.0truecontainercontainer.labelsobjectextendedImage labels.
1628.11.0truecontainercontainer.memory.usagescaled_floatextendedPercent memory used, between 0 and 1.
1638.11.0truecontainercontainer.namekeywordextendedContainer name.
1648.11.0truecontainercontainer.network.egress.byteslongextendedThe number of bytes sent on all network interfaces.
1658.11.0truecontainercontainer.network.ingress.byteslongextendedThe number of bytes received on all network interfaces.
1668.11.0truecontainercontainer.runtimekeywordextendeddockerRuntime managing this container.
1678.11.0truecontainercontainer.security_context.privilegedbooleanextendedIndicates whether the container is running in privileged mode.
1688.11.0truedata_streamdata_stream.datasetkeywordextendednginx.accessThe field can contain anything that makes sense to signify the source of the data.
1698.11.0truedata_streamdata_stream.namespacekeywordextendedproductionA user defined namespace. Namespaces are useful to allow grouping of data.
1708.11.0truedata_streamdata_stream.typekeywordextendedlogsAn overarching type for the data stream.
1718.11.0truedestinationdestination.addresskeywordextendedDestination network address.
1728.11.0truedestinationdestination.as.numberlongextended15169Unique number allocated to the autonomous system.
1738.11.0truedestinationdestination.as.organization.namekeywordextendedGoogle LLCOrganization name.
1748.11.0truedestinationdestination.as.organization.name.textkeywordextendedGoogle LLCOrganization name.
1758.11.0truedestinationdestination.byteslongcore184Bytes sent from the destination to the source.
1768.11.0truedestinationdestination.domainkeywordcorefoo.example.comThe domain name of the destination.
1778.11.0truedestinationdestination.geo.city_namekeywordcoreMontrealCity name.
1788.11.0truedestinationdestination.geo.continent_codekeywordcoreNAContinent code.
1798.11.0truedestinationdestination.geo.continent_namekeywordcoreNorth AmericaName of the continent.
1808.11.0truedestinationdestination.geo.country_iso_codekeywordcoreCACountry ISO code.
1818.11.0truedestinationdestination.geo.country_namekeywordcoreCanadaCountry name.
1828.11.0truedestinationdestination.geo.locationgeo_pointcore{ "lon": -73.614830, "lat": 45.505918 }Longitude and latitude.
1838.11.0truedestinationdestination.geo.namekeywordextendedboston-dcUser-defined description of a location.
1848.11.0truedestinationdestination.geo.postal_codekeywordcore94040Postal code.
1858.11.0truedestinationdestination.geo.region_iso_codekeywordcoreCA-QCRegion ISO code.
1868.11.0truedestinationdestination.geo.region_namekeywordcoreQuebecRegion name.
1878.11.0truedestinationdestination.geo.timezonekeywordcoreAmerica/Argentina/Buenos_AiresTime zone.
1888.11.0truedestinationdestination.ipipcoreIP address of the destination.
1898.11.0truedestinationdestination.mackeywordcore00-00-5E-00-53-23MAC address of the destination.
1908.11.0truedestinationdestination.nat.ipipextendedDestination NAT ip
1918.11.0truedestinationdestination.nat.portlongextendedDestination NAT Port
1928.11.0truedestinationdestination.packetslongcore12Packets sent from the destination to the source.
1938.11.0truedestinationdestination.portlongcorePort of the destination.
1948.11.0truedestinationdestination.registered_domainkeywordextendedexample.comThe highest registered destination domain, stripped of the subdomain.
1958.11.0truedestinationdestination.subdomainkeywordextendedeastThe subdomain of the domain.
1968.11.0truedestinationdestination.top_level_domainkeywordextendedco.ukThe effective top level domain (com, org, net, co.uk).
1978.11.0truedestinationdestination.user.domainkeywordextendedName of the directory the user is a member of.
1988.11.0truedestinationdestination.user.emailkeywordextendedUser email address.
1998.11.0truedestinationdestination.user.full_namekeywordextendedAlbert EinsteinUser's full name, if available.
2008.11.0truedestinationdestination.user.full_name.textkeywordextendedAlbert EinsteinUser's full name, if available.
2018.11.0truedestinationdestination.user.group.domainkeywordextendedName of the directory the group is a member of.
2028.11.0truedestinationdestination.user.group.idkeywordextendedUnique identifier for the group on the system/platform.
2038.11.0truedestinationdestination.user.group.namekeywordextendedName of the group.
2048.11.0truedestinationdestination.user.hashkeywordextendedUnique user hash to correlate information for a user in anonymized form.
2058.11.0truedestinationdestination.user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
2068.11.0truedestinationdestination.user.namekeywordcorea.einsteinShort name or login of the user.
2078.11.0truedestinationdestination.user.name.textkeywordcorea.einsteinShort name or login of the user.
2088.11.0truedestinationdestination.user.roleskeywordextendedarray["kibana_admin", "reporting_user"]Array of user roles at the time of the event.
2098.11.0truedevicedevice.idkeywordextended00000000-54b3-e7c7-0000-000046bffd97The unique identifier of a device.
2108.11.0truedevicedevice.manufacturerkeywordextendedSamsungThe vendor name of the device manufacturer.
2118.11.0truedevicedevice.model.identifierkeywordextendedSM-G920FThe machine readable identifier of the device model.
2128.11.0truedevicedevice.model.namekeywordextendedSamsung Galaxy S6The human readable marketing name of the device model.
2138.11.0truedlldll.code_signature.digest_algorithmkeywordextendedsha256Hashing algorithm used to sign the process.
2148.11.0truedlldll.code_signature.existsbooleancoretrueBoolean to capture if a signature is present.
2158.11.0truedlldll.code_signature.signing_idkeywordextendedcom.apple.xpc.proxyThe identifier used to sign the process.
2168.11.0truedlldll.code_signature.statuskeywordextendedERROR_UNTRUSTED_ROOTAdditional information about the certificate status.
2178.11.0truedlldll.code_signature.subject_namekeywordcoreMicrosoft CorporationSubject name of the code signer
2188.11.0truedlldll.code_signature.team_idkeywordextendedEQHXZ8M8AVThe team identifier used to sign the process.
2198.11.0truedlldll.code_signature.timestampdateextended2021-01-01T12:10:30ZWhen the signature was generated and signed.
2208.11.0truedlldll.code_signature.trustedbooleanextendedtrueStores the trust status of the certificate chain.
2218.11.0truedlldll.code_signature.validbooleanextendedtrueBoolean to capture if the digital signature is verified against the binary content.
2228.11.0truedlldll.hash.md5keywordextendedMD5 hash.
2238.11.0truedlldll.hash.sha1keywordextendedSHA1 hash.
2248.11.0truedlldll.hash.sha256keywordextendedSHA256 hash.
2258.11.0truedlldll.hash.sha384keywordextendedSHA384 hash.
2268.11.0truedlldll.hash.sha512keywordextendedSHA512 hash.
2278.11.0truedlldll.hash.ssdeepkeywordextendedSSDEEP hash.
2288.11.0truedlldll.hash.tlshkeywordextendedTLSH hash.
2298.11.0truedlldll.namekeywordcorekernel32.dllName of the library.
2308.11.0truedlldll.pathkeywordextendedC:\Windows\System32\kernel32.dllFull file path of the library.
2318.11.0truedlldll.pe.architecturekeywordextendedx64CPU architecture target for the file.
2328.11.0truedlldll.pe.companykeywordextendedMicrosoft CorporationInternal company name of the file, provided at compile-time.
2338.11.0truedlldll.pe.descriptionkeywordextendedPaintInternal description of the file, provided at compile-time.
2348.11.0truedlldll.pe.file_versionkeywordextended6.3.9600.17415Process name.
2358.11.0truedlldll.pe.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in a PE file.
2368.11.0truedlldll.pe.go_importsflat_objectextendedList of imported Go language element names and types.
2378.11.0truedlldll.pe.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
2388.11.0truedlldll.pe.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
2398.11.0truedlldll.pe.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
2408.11.0truedlldll.pe.imphashkeywordextended0c6803c4e922103c4dca5963aad36ddfA hash of the imports in a PE file.
2418.11.0truedlldll.pe.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in a PE file.
2428.11.0truedlldll.pe.importsflat_objectextendedarrayList of imported element names and types.
2438.11.0truedlldll.pe.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
2448.11.0truedlldll.pe.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
2458.11.0truedlldll.pe.original_file_namekeywordextendedMSPAINT.EXEInternal name of the file, provided at compile-time.
2468.11.0truedlldll.pe.pehashkeywordextended73ff189b63cd6be375a7ff25179a38d347651975A hash of the PE header and data from one or more PE sections.
2478.11.0truedlldll.pe.productkeywordextendedMicrosoft® Windows® Operating SystemInternal product name of the file, provided at compile-time.
2488.11.0truedlldll.pe.sectionsnestedextendedarraySection information of the PE file.
2498.11.0truedlldll.pe.sections.entropylongextendedShannon entropy calculation from the section.
2508.11.0truedlldll.pe.sections.namekeywordextendedPE Section List name.
2518.11.0truedlldll.pe.sections.physical_sizelongextendedPE Section List physical size.
2528.11.0truedlldll.pe.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
2538.11.0truedlldll.pe.sections.virtual_sizelongextendedPE Section List virtual size. This is always the same as `physical_size`.
2548.11.0truednsdns.answersobjectextendedarrayArray of DNS answers.
2558.11.0truednsdns.answers.classkeywordextendedINThe class of DNS data contained in this resource record.
2568.11.0truednsdns.answers.datakeywordextended10.10.10.10The data describing the resource.
2578.11.0truednsdns.answers.namekeywordextendedwww.example.comThe domain name to which this resource record pertains.
2588.11.0truednsdns.answers.ttllongextended180The time interval in seconds that this resource record may be cached before it should be discarded.
2598.11.0truednsdns.answers.typekeywordextendedCNAMEThe type of data contained in this resource record.
2608.11.0truednsdns.header_flagskeywordextendedarray["RD", "RA"]Array of DNS header flags.
2618.11.0truednsdns.idkeywordextended62111The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
2628.11.0truednsdns.op_codekeywordextendedQUERYThe DNS operation code that specifies the kind of query in the message.
2638.11.0truednsdns.question.classkeywordextendedINThe class of records being queried.
2648.11.0truednsdns.question.namekeywordextendedwww.example.comThe name being queried.
2658.11.0truednsdns.question.registered_domainkeywordextendedexample.comThe highest registered domain, stripped of the subdomain.
2668.11.0truednsdns.question.subdomainkeywordextendedwwwThe subdomain of the domain.
2678.11.0truednsdns.question.top_level_domainkeywordextendedco.ukThe effective top level domain (com, org, net, co.uk).
2688.11.0truednsdns.question.typekeywordextendedAAAAThe type of record being queried.
2698.11.0truednsdns.resolved_ipipextendedarray["10.10.10.10", "10.10.10.11"]Array containing all IPs seen in answers.data
2708.11.0truednsdns.response_codekeywordextendedNOERRORThe DNS response code.
2718.11.0truednsdns.typekeywordextendedanswerThe type of DNS event captured, query or answer.
2728.11.0trueecsecs.versionkeywordcore1.0.0ECS version this event conforms to.
2738.11.0trueemailemail.attachmentsnestedextendedarrayList of objects describing the attachments.
2748.11.0trueemailemail.attachments.file.extensionkeywordextendedtxtAttachment file extension.
2758.11.0trueemailemail.attachments.file.hash.md5keywordextendedMD5 hash.
2768.11.0trueemailemail.attachments.file.hash.sha1keywordextendedSHA1 hash.
2778.11.0trueemailemail.attachments.file.hash.sha256keywordextendedSHA256 hash.
2788.11.0trueemailemail.attachments.file.hash.sha384keywordextendedSHA384 hash.
2798.11.0trueemailemail.attachments.file.hash.sha512keywordextendedSHA512 hash.
2808.11.0trueemailemail.attachments.file.hash.ssdeepkeywordextendedSSDEEP hash.
2818.11.0trueemailemail.attachments.file.hash.tlshkeywordextendedTLSH hash.
2828.11.0trueemailemail.attachments.file.mime_typekeywordextendedtext/plainMIME type of the attachment file.
2838.11.0trueemailemail.attachments.file.namekeywordextendedattachment.txtName of the attachment file.
2848.11.0trueemailemail.attachments.file.sizelongextended64329Attachment file size.
2858.11.0trueemailemail.bcc.addresskeywordextendedarraybcc.user1@example.comEmail address of BCC recipient
2868.11.0trueemailemail.cc.addresskeywordextendedarraycc.user1@example.comEmail address of CC recipient
2878.11.0trueemailemail.content_typekeywordextendedtext/plainMIME type of the email message.
2888.11.0trueemailemail.delivery_timestampdateextended2020-11-10T22:12:34.8196921ZDate and time when message was delivered.
2898.11.0trueemailemail.directionkeywordextendedinboundDirection of the message.
2908.11.0trueemailemail.from.addresskeywordextendedarraysender@example.comThe sender's email address.
2918.11.0trueemailemail.local_idkeywordextendedc26dbea0-80d5-463b-b93c-4e8b708219ceUnique identifier given by the source.
2928.11.0trueemailemail.message_idkeywordextended81ce15$8r2j59@mail01.example.comValue from the Message-ID header.
2938.11.0trueemailemail.origination_timestampdateextended2020-11-10T22:12:34.8196921ZDate and time the email was composed.
2948.11.0trueemailemail.reply_to.addresskeywordextendedarrayreply.here@example.comAddress replies should be delivered to.
2958.11.0trueemailemail.sender.addresskeywordextendedAddress of the message sender.
2968.11.0trueemailemail.subjectkeywordextendedPlease see this important message.The subject of the email message.
2978.11.0trueemailemail.subject.textkeywordextendedPlease see this important message.The subject of the email message.
2988.11.0trueemailemail.to.addresskeywordextendedarrayuser1@example.comEmail address of recipient
2998.11.0trueemailemail.x_mailerkeywordextendedSpambot v2.5Application that drafted email.
3008.11.0trueerrorerror.codekeywordcoreError code describing the error.
3018.11.0trueerrorerror.idkeywordcoreUnique identifier for the error.
3028.11.0trueerrorerror.messagekeywordcoreError message.
3038.11.0trueerrorerror.stack_tracekeywordextendedThe stack trace of this error in plain text.
3048.11.0trueerrorerror.stack_trace.textkeywordextendedThe stack trace of this error in plain text.
3058.11.0trueerrorerror.typekeywordextendedjava.lang.NullPointerExceptionThe type of the error, for example the class name of the exception.
3068.11.0trueeventevent.actionkeywordcoreuser-password-changeThe action captured by the event.
3078.11.0trueeventevent.agent_id_statuskeywordextendedverifiedValidation status of the event's agent.id field.
3088.11.0trueeventevent.categorykeywordcorearrayauthenticationEvent category. The second categorization field in the hierarchy.
3098.11.0trueeventevent.changed_fieldskeywordcustomarray["foo", "bar"]Fields that were updated since last scan.
3108.11.0trueeventevent.codekeywordextended4648Identification code for this event.
3118.11.0trueeventevent.collectorkeywordcustomfileCollector used to retrieve the event.
3128.11.0trueeventevent.createddatecore2016-05-23T08:05:34.857ZTime when the event was first read by an agent or by your pipeline.
3138.11.0trueeventevent.datasetkeywordcoreapache.accessName of the dataset.
3148.11.0trueeventevent.durationlongcoreDuration of the event in nanoseconds.
3158.11.0trueeventevent.enddateextended`event.end` contains the date when the event ended or when the activity was last observed.
3168.11.0trueeventevent.hashkeywordextended123456789012345678901234567890ABCDHash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
3178.11.0trueeventevent.idkeywordcore8a4f500dUnique ID to describe the event.
3188.11.0trueeventevent.ingesteddatecore2016-05-23T08:05:35.101ZTimestamp when an event arrived in the central data store.
3198.11.0trueeventevent.kindkeywordcorealertThe kind of the event. The highest categorization field in the hierarchy.
3208.11.0trueeventevent.modulekeywordcoreapacheName of the module this data is coming from.
3218.11.0falseeventevent.originalkeywordcoreSep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232Raw text message of entire event.
3228.11.0trueeventevent.outcomekeywordcoresuccessThe outcome of the event. The lowest level categorization field in the hierarchy.
3238.11.0trueeventevent.providerkeywordextendedkernelSource of the event.
3248.11.0trueeventevent.reasonkeywordextendedTerminated an unexpected processReason why this event happened, according to the source
3258.11.0trueeventevent.referencekeywordextendedhttps://system.example.com/event/#0001234Event reference URL
3268.11.0trueeventevent.risk_scorefloatcoreRisk score or priority of the event (e.g. security solutions). Use your system's original value here.
3278.11.0trueeventevent.risk_score_normfloatextendedNormalized risk score or priority of the event (0-100).
3288.11.0trueeventevent.sequencelongextendedSequence number of the event.
3298.11.0trueeventevent.severitylongcore7Numeric severity of the event.
3308.11.0trueeventevent.startdateextended`event.start` contains the date when the event started or when the activity was first observed.
3318.11.0trueeventevent.timezonekeywordextendedEvent time zone.
3328.11.0trueeventevent.typekeywordcorearrayEvent type. The third categorization field in the hierarchy.
3338.11.0trueeventevent.urlkeywordextendedhttps://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38feEvent investigation URL
3348.11.0truefaasfaas.coldstartbooleanextendedBoolean value indicating a cold start of a function.
3358.11.0truefaasfaas.executionkeywordextendedaf9d5aa4-a685-4c5f-a22b-444f80b3cc28The execution ID of the current function execution.
3368.11.0truefaasfaas.idkeywordextendedarn:aws:lambda:us-west-2:123456789012:function:my-functionThe unique identifier of a serverless function.
3378.11.0truefaasfaas.namekeywordextendedmy-functionThe name of a serverless function.
3388.11.0truefaasfaas.trigger.request_idkeywordextended123456789The ID of the trigger request , message, event, etc.
3398.11.0truefaasfaas.trigger.typekeywordextendedhttpThe trigger for the function execution.
3408.11.0truefaasfaas.versionkeywordextended123The version of a serverless function.
3418.11.0truefilefile.accesseddateextendedLast time the file was accessed.
3428.11.0truefilefile.attributeskeywordextendedarray["readonly", "system"]Array of file attributes.
3438.11.0truefilefile.code_signature.digest_algorithmkeywordextendedsha256Hashing algorithm used to sign the process.
3448.11.0truefilefile.code_signature.existsbooleancoretrueBoolean to capture if a signature is present.
3458.11.0truefilefile.code_signature.signing_idkeywordextendedcom.apple.xpc.proxyThe identifier used to sign the process.
3468.11.0truefilefile.code_signature.statuskeywordextendedERROR_UNTRUSTED_ROOTAdditional information about the certificate status.
3478.11.0truefilefile.code_signature.subject_namekeywordcoreMicrosoft CorporationSubject name of the code signer
3488.11.0truefilefile.code_signature.team_idkeywordextendedEQHXZ8M8AVThe team identifier used to sign the process.
3498.11.0truefilefile.code_signature.timestampdateextended2021-01-01T12:10:30ZWhen the signature was generated and signed.
3508.11.0truefilefile.code_signature.trustedbooleanextendedtrueStores the trust status of the certificate chain.
3518.11.0truefilefile.code_signature.validbooleanextendedtrueBoolean to capture if the digital signature is verified against the binary content.
3528.11.0truefilefile.createddateextendedFile creation time.
3538.11.0truefilefile.ctimedateextendedLast time the file attributes or metadata changed.
3548.11.0truefilefile.devicekeywordextendedsdaDevice that is the source of the file.
3558.11.0truefilefile.directorykeywordextended/home/aliceDirectory where the file is located.
3568.11.0truefilefile.drive_letterkeywordextendedCDrive letter where the file is located.
3578.11.0truefilefile.elf.architecturekeywordextendedx86-64Machine architecture of the ELF file.
3588.11.0truefilefile.elf.byte_orderkeywordextendedLittle EndianByte sequence of ELF file.
3598.11.0truefilefile.elf.cpu_typekeywordextendedIntelCPU type of the ELF file.
3608.11.0truefilefile.elf.creation_datedateextendedBuild or compile date.
3618.11.0truefilefile.elf.exportsflat_objectextendedarrayList of exported element names and types.
3628.11.0truefilefile.elf.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in an ELF file.
3638.11.0truefilefile.elf.go_importsflat_objectextendedList of imported Go language element names and types.
3648.11.0truefilefile.elf.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
3658.11.0truefilefile.elf.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
3668.11.0truefilefile.elf.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
3678.11.0truefilefile.elf.header.abi_versionkeywordextendedVersion of the ELF Application Binary Interface (ABI).
3688.11.0truefilefile.elf.header.classkeywordextendedHeader class of the ELF file.
3698.11.0truefilefile.elf.header.datakeywordextendedData table of the ELF header.
3708.11.0truefilefile.elf.header.entrypointlongextendedHeader entrypoint of the ELF file.
3718.11.0truefilefile.elf.header.object_versionkeywordextended"0x1" for original ELF files.
3728.11.0truefilefile.elf.header.os_abikeywordextendedApplication Binary Interface (ABI) of the Linux OS.
3738.11.0truefilefile.elf.header.typekeywordextendedHeader type of the ELF file.
3748.11.0truefilefile.elf.header.versionkeywordextendedVersion of the ELF header.
3758.11.0truefilefile.elf.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in an ELF file.
3768.11.0truefilefile.elf.importsflat_objectextendedarrayList of imported element names and types.
3778.11.0truefilefile.elf.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
3788.11.0truefilefile.elf.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
3798.11.0truefilefile.elf.sectionsnestedextendedarraySection information of the ELF file.
3808.11.0truefilefile.elf.sections.chi2longextendedChi-square probability distribution of the section.
3818.11.0truefilefile.elf.sections.entropylongextendedShannon entropy calculation from the section.
3828.11.0truefilefile.elf.sections.flagskeywordextendedELF Section List flags.
3838.11.0truefilefile.elf.sections.namekeywordextendedELF Section List name.
3848.11.0truefilefile.elf.sections.physical_offsetkeywordextendedELF Section List offset.
3858.11.0truefilefile.elf.sections.physical_sizelongextendedELF Section List physical size.
3868.11.0truefilefile.elf.sections.typekeywordextendedELF Section List type.
3878.11.0truefilefile.elf.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
3888.11.0truefilefile.elf.sections.virtual_addresslongextendedELF Section List virtual address.
3898.11.0truefilefile.elf.sections.virtual_sizelongextendedELF Section List virtual size.
3908.11.0truefilefile.elf.segmentsnestedextendedarrayELF object segment list.
3918.11.0truefilefile.elf.segments.sectionskeywordextendedELF object segment sections.
3928.11.0truefilefile.elf.segments.typekeywordextendedELF object segment type.
3938.11.0truefilefile.elf.shared_librarieskeywordextendedarrayList of shared libraries used by this ELF object.
3948.11.0truefilefile.elf.telfhashkeywordextendedtelfhash hash for ELF file.
3958.11.0truefilefile.extensionkeywordextendedpngFile extension, excluding the leading dot.
3968.11.0truefilefile.fork_namekeywordextendedZone.IdentiferA fork is additional data associated with a filesystem object.
3978.11.0truefilefile.gidkeywordextended1001Primary group ID (GID) of the file.
3988.11.0truefilefile.groupkeywordextendedalicePrimary group name of the file.
3998.11.0truefilefile.hash.md5keywordextendedMD5 hash.
4008.11.0truefilefile.hash.sha1keywordextendedSHA1 hash.
4018.11.0truefilefile.hash.sha256keywordextendedSHA256 hash.
4028.11.0truefilefile.hash.sha384keywordextendedSHA384 hash.
4038.11.0truefilefile.hash.sha512keywordextendedSHA512 hash.
4048.11.0truefilefile.hash.ssdeepkeywordextendedSSDEEP hash.
4058.11.0truefilefile.hash.tlshkeywordextendedTLSH hash.
4068.11.0truefilefile.inodekeywordextended256383Inode representing the file in the filesystem.
4078.11.0truefilefile.macho.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in a Mach-O file.
4088.11.0truefilefile.macho.go_importsflat_objectextendedList of imported Go language element names and types.
4098.11.0truefilefile.macho.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
4108.11.0truefilefile.macho.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
4118.11.0truefilefile.macho.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
4128.11.0truefilefile.macho.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in a Mach-O file.
4138.11.0truefilefile.macho.importsflat_objectextendedarrayList of imported element names and types.
4148.11.0truefilefile.macho.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
4158.11.0truefilefile.macho.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
4168.11.0truefilefile.macho.sectionsnestedextendedarraySection information of the Mach-O file.
4178.11.0truefilefile.macho.sections.entropylongextendedShannon entropy calculation from the section.
4188.11.0truefilefile.macho.sections.namekeywordextendedMach-O Section List name.
4198.11.0truefilefile.macho.sections.physical_sizelongextendedMach-O Section List physical size.
4208.11.0truefilefile.macho.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
4218.11.0truefilefile.macho.sections.virtual_sizelongextendedMach-O Section List virtual size. This is always the same as `physical_size`.
4228.11.0truefilefile.macho.symhashkeywordextendedd3ccf195b62a9279c3c19af1080497ecA hash of the imports in a Mach-O file.
4238.11.0truefilefile.mime_typekeywordextendedMedia type of file, document, or arrangement of bytes.
4248.11.0truefilefile.modekeywordextended0640Mode of the file in octal representation.
4258.11.0truefilefile.mtimedateextendedLast time the file content was modified.
4268.11.0truefilefile.namekeywordextendedexample.pngName of the file including the extension, without the directory.
4278.11.0truefilefile.ownerkeywordextendedaliceFile owner's username.
4288.11.0truefilefile.pathkeywordextended/home/alice/example.pngFull path to the file, including the file name.
4298.11.0truefilefile.path.textkeywordextended/home/alice/example.pngFull path to the file, including the file name.
4308.11.0truefilefile.pe.architecturekeywordextendedx64CPU architecture target for the file.
4318.11.0truefilefile.pe.companykeywordextendedMicrosoft CorporationInternal company name of the file, provided at compile-time.
4328.11.0truefilefile.pe.descriptionkeywordextendedPaintInternal description of the file, provided at compile-time.
4338.11.0truefilefile.pe.file_versionkeywordextended6.3.9600.17415Process name.
4348.11.0truefilefile.pe.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in a PE file.
4358.11.0truefilefile.pe.go_importsflat_objectextendedList of imported Go language element names and types.
4368.11.0truefilefile.pe.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
4378.11.0truefilefile.pe.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
4388.11.0truefilefile.pe.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
4398.11.0truefilefile.pe.imphashkeywordextended0c6803c4e922103c4dca5963aad36ddfA hash of the imports in a PE file.
4408.11.0truefilefile.pe.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in a PE file.
4418.11.0truefilefile.pe.importsflat_objectextendedarrayList of imported element names and types.
4428.11.0truefilefile.pe.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
4438.11.0truefilefile.pe.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
4448.11.0truefilefile.pe.original_file_namekeywordextendedMSPAINT.EXEInternal name of the file, provided at compile-time.
4458.11.0truefilefile.pe.pehashkeywordextended73ff189b63cd6be375a7ff25179a38d347651975A hash of the PE header and data from one or more PE sections.
4468.11.0truefilefile.pe.productkeywordextendedMicrosoft® Windows® Operating SystemInternal product name of the file, provided at compile-time.
4478.11.0truefilefile.pe.sectionsnestedextendedarraySection information of the PE file.
4488.11.0truefilefile.pe.sections.entropylongextendedShannon entropy calculation from the section.
4498.11.0truefilefile.pe.sections.namekeywordextendedPE Section List name.
4508.11.0truefilefile.pe.sections.physical_sizelongextendedPE Section List physical size.
4518.11.0truefilefile.pe.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
4528.11.0truefilefile.pe.sections.virtual_sizelongextendedPE Section List virtual size. This is always the same as `physical_size`.
4538.11.0truefilefile.sizelongextended16384File size in bytes.
4548.11.0truefilefile.target_pathkeywordextendedTarget path for symlinks.
4558.11.0truefilefile.target_path.textkeywordextendedTarget path for symlinks.
4568.11.0truefilefile.typekeywordextendedfileFile type (file, dir, or symlink).
4578.11.0truefilefile.uidkeywordextended1001The user ID (UID) or security identifier (SID) of the file owner.
4588.11.0truefilefile.x509.alternative_nameskeywordextendedarray*.elastic.coList of subject alternative names (SAN).
4598.11.0truefilefile.x509.issuer.common_namekeywordextendedarrayExample SHA2 High Assurance Server CAList of common name (CN) of issuing certificate authority.
4608.11.0truefilefile.x509.issuer.countrykeywordextendedarrayUSList of country \(C) codes
4618.11.0truefilefile.x509.issuer.distinguished_namekeywordextendedC=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CADistinguished name (DN) of issuing certificate authority.
4628.11.0truefilefile.x509.issuer.localitykeywordextendedarrayMountain ViewList of locality names (L)
4638.11.0truefilefile.x509.issuer.organizationkeywordextendedarrayExample IncList of organizations (O) of issuing certificate authority.
4648.11.0truefilefile.x509.issuer.organizational_unitkeywordextendedarraywww.example.comList of organizational units (OU) of issuing certificate authority.
4658.11.0truefilefile.x509.issuer.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
4668.11.0truefilefile.x509.not_afterdateextended2020-07-16T03:15:39ZTime at which the certificate is no longer considered valid.
4678.11.0truefilefile.x509.not_beforedateextended2019-08-16T01:40:25ZTime at which the certificate is first considered valid.
4688.11.0truefilefile.x509.public_key_algorithmkeywordextendedRSAAlgorithm used to generate the public key.
4698.11.0truefilefile.x509.public_key_curvekeywordextendednistp521The curve used by the elliptic curve public key algorithm. This is algorithm specific.
4708.11.0falsefilefile.x509.public_key_exponentlongextended65537Exponent used to derive the public key. This is algorithm specific.
4718.11.0truefilefile.x509.public_key_sizelongextended2048The size of the public key space in bits.
4728.11.0truefilefile.x509.serial_numberkeywordextended55FBB9C7DEBF09809D12CCAAUnique serial number issued by the certificate authority.
4738.11.0truefilefile.x509.signature_algorithmkeywordextendedSHA256-RSAIdentifier for certificate signature algorithm.
4748.11.0truefilefile.x509.subject.common_namekeywordextendedarrayshared.global.example.netList of common names (CN) of subject.
4758.11.0truefilefile.x509.subject.countrykeywordextendedarrayUSList of country \(C) code
4768.11.0truefilefile.x509.subject.distinguished_namekeywordextendedC=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.netDistinguished name (DN) of the certificate subject entity.
4778.11.0truefilefile.x509.subject.localitykeywordextendedarraySan FranciscoList of locality names (L)
4788.11.0truefilefile.x509.subject.organizationkeywordextendedarrayExample, Inc.List of organizations (O) of subject.
4798.11.0truefilefile.x509.subject.organizational_unitkeywordextendedarrayList of organizational units (OU) of subject.
4808.11.0truefilefile.x509.subject.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
4818.11.0truefilefile.x509.version_numberkeywordextended3Version of x509 format.
4828.11.0truegroupgroup.domainkeywordextendedName of the directory the group is a member of.
4838.11.0truegroupgroup.idkeywordextendedUnique identifier for the group on the system/platform.
4848.11.0truegroupgroup.namekeywordextendedName of the group.
4858.11.0truehosthost.architecturekeywordcorex86_64Operating system architecture.
4868.11.0truehosthost.boot.idkeywordextended88a1f0ed-5ae5-41ee-af6b-41921c311872Linux boot uuid taken from /proc/sys/kernel/random/boot_id
4878.11.0truehosthost.cpuobjectcustom"name": "Intel(R) Core(TM) i7-7700HQ CPU", "cores": 4, "speed": 2800CPU-related data.
4888.11.0truehosthost.cpu.coreslongcustom4Number of CPU cores.
4898.11.0truehosthost.cpu.namekeywordcustomIntel(R) Core(TM) i7-7700HQ CPUCPU Model name.
4908.11.0truehosthost.cpu.speedlongcustom2800CPU clock speed.
4918.11.0truehosthost.cpu.usagescaled_floatextendedPercent CPU used, between 0 and 1.
4928.11.0truehosthost.disk.read.byteslongextendedThe number of bytes read by all disks.
4938.11.0truehosthost.disk.write.byteslongextendedThe number of bytes written on all disks.
4948.11.0truehosthost.domainkeywordextendedCONTOSOName of the directory the group is a member of.
4958.11.0truehosthost.geo.city_namekeywordcoreMontrealCity name.
4968.11.0truehosthost.geo.continent_codekeywordcoreNAContinent code.
4978.11.0truehosthost.geo.continent_namekeywordcoreNorth AmericaName of the continent.
4988.11.0truehosthost.geo.country_iso_codekeywordcoreCACountry ISO code.
4998.11.0truehosthost.geo.country_namekeywordcoreCanadaCountry name.
5008.11.0truehosthost.geo.locationgeo_pointcore{ "lon": -73.614830, "lat": 45.505918 }Longitude and latitude.
5018.11.0truehosthost.geo.namekeywordextendedboston-dcUser-defined description of a location.
5028.11.0truehosthost.geo.postal_codekeywordcore94040Postal code.
5038.11.0truehosthost.geo.region_iso_codekeywordcoreCA-QCRegion ISO code.
5048.11.0truehosthost.geo.region_namekeywordcoreQuebecRegion name.
5058.11.0truehosthost.geo.timezonekeywordcoreAmerica/Argentina/Buenos_AiresTime zone.
5068.11.0truehosthost.hostnamekeywordcoreHostname of the host.
5078.11.0truehosthost.idkeywordcoreUnique host id.
5088.11.0truehosthost.ipipcorearrayHost ip addresses.
5098.11.0truehosthost.mackeywordcorearray["00-00-5E-00-53-23", "00-00-5E-00-53-24"]Host MAC addresses.
5108.11.0truehosthost.memoryobjectcustom"total": 100000, "free": 90000, "used": {"percentage": 10}Memory-related data.
5118.11.0truehosthost.memory.freelongcustom1024Free memory in MB.
5128.11.0truehosthost.memory.totallongcustom1024Total memory in MB.
5138.11.0truehosthost.memory.usedobjectcustom"percentage": 10Used memory-related data.
5148.11.0truehosthost.memory.used.percentagelongcustom10Used memory percentage.
5158.11.0truehosthost.namekeywordcoreName of the host.
5168.11.0truehosthost.network.egress.byteslongextendedThe number of bytes sent on all network interfaces.
5178.11.0truehosthost.network.egress.dropslongcustom10Number of dropped transmitted packets.
5188.11.0truehosthost.network.egress.errorslongcustom10Number of transmission errors.
5198.11.0truehosthost.network.egress.packetslongextendedThe number of packets sent on all network interfaces.
5208.11.0truehosthost.network.egress.queuelongcustom10Transmit queue length.
5218.11.0truehosthost.network.ingress.byteslongextendedThe number of bytes received on all network interfaces.
5228.11.0truehosthost.network.ingress.dropslongcustom10Number of dropped received packets.
5238.11.0truehosthost.network.ingress.errorslongcustom10Number of reception errors.
5248.11.0truehosthost.network.ingress.packetslongextendedThe number of packets received on all network interfaces.
5258.11.0truehosthost.network.ingress.queuelongcustom10Receive queue length.
5268.11.0truehosthost.os.familykeywordextendeddebianOS family (such as redhat, debian, freebsd, windows).
5278.11.0truehosthost.os.fullkeywordextendedMac OS MojaveOperating system name, including the version or code name.
5288.11.0truehosthost.os.full.textkeywordextendedMac OS MojaveOperating system name, including the version or code name.
5298.11.0truehosthost.os.kernelkeywordextended4.4.0-112-genericOperating system kernel version as a raw string.
5308.11.0truehosthost.os.namekeywordextendedMac OS XOperating system name, without the version.
5318.11.0truehosthost.os.name.textkeywordextendedMac OS XOperating system name, without the version.
5328.11.0truehosthost.os.platformkeywordextendeddarwinOperating system platform (such centos, ubuntu, windows).
5338.11.0truehosthost.os.typekeywordextendedmacosWhich commercial OS family (one of: linux, macos, unix, windows, ios or android).
5348.11.0truehosthost.os.versionkeywordextended10.14.1Operating system version as a raw string.
5358.11.0truehosthost.pid_ns_inokeywordextended256383Pid namespace inode
5368.11.0truehosthost.risk.calculated_levelkeywordextendedHighA risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
5378.11.0truehosthost.risk.calculated_scorefloatextended880.73A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
5388.11.0truehosthost.risk.calculated_score_normfloatextended88.73A normalized risk score calculated by an internal system.
5398.11.0truehosthost.risk.static_levelkeywordextendedHighA risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.
5408.11.0truehosthost.risk.static_scorefloatextended830.0A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.
5418.11.0truehosthost.risk.static_score_normfloatextended83.0A normalized risk score calculated by an external system.
5428.11.0truehosthost.typekeywordcoreType of host.
5438.11.0truehosthost.uptimelongextended1325Seconds the host has been up.
5448.11.0truehttphttp.request.body.byteslongextended887Size in bytes of the request body.
5458.11.0truehttphttp.request.body.contentkeywordextendedHello worldThe full HTTP request body.
5468.11.0truehttphttp.request.body.content.textkeywordextendedHello worldThe full HTTP request body.
5478.11.0truehttphttp.request.byteslongextended1437Total size in bytes of the request (body and headers).
5488.11.0truehttphttp.request.idkeywordextended123e4567-e89b-12d3-a456-426614174000HTTP request ID.
5498.11.0truehttphttp.request.methodkeywordextendedPOSTHTTP request method.
5508.11.0truehttphttp.request.mime_typekeywordextendedimage/gifMime type of the body of the request.
5518.11.0truehttphttp.request.referrerkeywordextendedhttps://blog.example.com/Referrer for this HTTP request.
5528.11.0truehttphttp.response.body.byteslongextended887Size in bytes of the response body.
5538.11.0truehttphttp.response.body.contentkeywordextendedHello worldThe full HTTP response body.
5548.11.0truehttphttp.response.body.content.textkeywordextendedHello worldThe full HTTP response body.
5558.11.0truehttphttp.response.byteslongextended1437Total size in bytes of the response (body and headers).
5568.11.0truehttphttp.response.mime_typekeywordextendedimage/gifMime type of the body of the response.
5578.11.0truehttphttp.response.status_codelongextended404HTTP response status code.
5588.11.0truehttphttp.versionkeywordextended1.1HTTP version.
5598.11.0trueinterfaceinterface.aliaskeywordextendedoutsideInterface alias
5608.11.0trueinterfaceinterface.idkeywordextended10Interface ID
5618.11.0trueinterfaceinterface.mtulongcustom1500Maximum transmission unit size.
5628.11.0trueinterfaceinterface.namekeywordextendedeth0Interface name
5638.11.0trueinterfaceinterface.statekeywordcustomupState of the network interface.
5648.11.0trueinterfaceinterface.typekeywordcustomethernetInterface type.
5658.11.0trueloglog.file.pathkeywordextended/var/log/fun-times.logFull path to the log file this event came from.
5668.11.0trueloglog.levelkeywordcoreerrorLog level of the log event.
5678.11.0trueloglog.loggerkeywordcoreorg.elasticsearch.bootstrap.BootstrapName of the logger.
5688.11.0trueloglog.origin.file.linelongextended42The line number of the file which originated the log event.
5698.11.0trueloglog.origin.file.namekeywordextendedBootstrap.javaThe code file which originated the log event.
5708.11.0trueloglog.origin.functionkeywordextendedinitThe function which originated the log event.
5718.11.0trueloglog.syslogobjectextendedSyslog metadata
5728.11.0trueloglog.syslog.appnamekeywordextendedsshdThe device or application that originated the Syslog message.
5738.11.0trueloglog.syslog.facility.codelongextended23Syslog numeric facility of the event.
5748.11.0trueloglog.syslog.facility.namekeywordextendedlocal7Syslog text-based facility of the event.
5758.11.0trueloglog.syslog.hostnamekeywordextendedexample-hostThe host that originated the Syslog message.
5768.11.0trueloglog.syslog.msgidkeywordextendedID47An identifier for the type of Syslog message.
5778.11.0trueloglog.syslog.prioritylongextended135Syslog priority of the event.
5788.11.0trueloglog.syslog.procidkeywordextended12345The process name or ID that originated the Syslog message.
5798.11.0trueloglog.syslog.severity.codelongextended3Syslog numeric severity of the event.
5808.11.0trueloglog.syslog.severity.namekeywordextendedErrorSyslog text-based severity of the event.
5818.11.0trueloglog.syslog.structured_dataflat_objectextendedStructured data expressed in RFC 5424 messages.
5828.11.0trueloglog.syslog.versionkeywordextended1Syslog protocol version.
5838.11.0truenetworknetwork.applicationkeywordextendedaimApplication level protocol name.
5848.11.0truenetworknetwork.broadcastipcustom192.168.0.255Broadcast address.
5858.11.0truenetworknetwork.byteslongcore368Total bytes transferred in both directions.
5868.11.0truenetworknetwork.community_idkeywordextended1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=A hash of source and destination IPs and ports.
5878.11.0truenetworknetwork.dhcpkeywordcustomenabledDHCP status (enabled, disabled, unknown, BOOTP).
5888.11.0truenetworknetwork.directionkeywordcoreinboundDirection of the network traffic.
5898.11.0truenetworknetwork.forwarded_ipipcore192.1.1.2Host IP address when the source IP address is the proxy.
5908.11.0truenetworknetwork.gatewayipcustom192.168.0.1Gateway address.
5918.11.0truenetworknetwork.iana_numberkeywordextended6IANA Protocol Number.
5928.11.0truenetworknetwork.innerobjectextendedInner VLAN tag information
5938.11.0truenetworknetwork.inner.vlan.idkeywordextended10VLAN ID as reported by the observer.
5948.11.0truenetworknetwork.inner.vlan.namekeywordextendedoutsideOptional VLAN name as reported by the observer.
5958.11.0truenetworknetwork.metriclongcustom15Metric of the network protocol.
5968.11.0truenetworknetwork.namekeywordextendedGuest WifiName given by operators to sections of their network.
5978.11.0truenetworknetwork.netmaskipcustom255.255.255.0Network mask
5988.11.0truenetworknetwork.packetslongcore24Total packets transferred in both directions.
5998.11.0truenetworknetwork.protocolkeywordcorehttpApplication protocol name.
6008.11.0truenetworknetwork.transportkeywordcoretcpProtocol Name corresponding to the field `iana_number`.
6018.11.0truenetworknetwork.typekeywordcoreipv4In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
6028.11.0truenetworknetwork.vlan.idkeywordextended10VLAN ID as reported by the observer.
6038.11.0truenetworknetwork.vlan.namekeywordextendedoutsideOptional VLAN name as reported by the observer.
6048.11.0trueobserverobserver.egressobjectextendedObject field for egress information
6058.11.0trueobserverobserver.egress.interface.aliaskeywordextendedoutsideInterface alias
6068.11.0trueobserverobserver.egress.interface.idkeywordextended10Interface ID
6078.11.0trueobserverobserver.egress.interface.mtulongcustom1500Maximum transmission unit size.
6088.11.0trueobserverobserver.egress.interface.namekeywordextendedeth0Interface name
6098.11.0trueobserverobserver.egress.interface.observer.ingress.interface.aliaskeywordextendedoutsideInterface alias
6108.11.0trueobserverobserver.egress.interface.observer.ingress.interface.idkeywordextended10Interface ID
6118.11.0trueobserverobserver.egress.interface.observer.ingress.interface.mtulongcustom1500Maximum transmission unit size.
6128.11.0trueobserverobserver.egress.interface.observer.ingress.interface.namekeywordextendedeth0Interface name
6138.11.0trueobserverobserver.egress.interface.observer.ingress.interface.statekeywordcustomupState of the network interface.
6148.11.0trueobserverobserver.egress.interface.observer.ingress.interface.typekeywordcustomethernetInterface type.
6158.11.0trueobserverobserver.egress.interface.statekeywordcustomupState of the network interface.
6168.11.0trueobserverobserver.egress.interface.typekeywordcustomethernetInterface type.
6178.11.0trueobserverobserver.egress.vlan.idkeywordextended10VLAN ID as reported by the observer.
6188.11.0trueobserverobserver.egress.vlan.namekeywordextendedoutsideOptional VLAN name as reported by the observer.
6198.11.0trueobserverobserver.egress.zonekeywordextendedPublic_InternetObserver Egress zone
6208.11.0trueobserverobserver.geo.city_namekeywordcoreMontrealCity name.
6218.11.0trueobserverobserver.geo.continent_codekeywordcoreNAContinent code.
6228.11.0trueobserverobserver.geo.continent_namekeywordcoreNorth AmericaName of the continent.
6238.11.0trueobserverobserver.geo.country_iso_codekeywordcoreCACountry ISO code.
6248.11.0trueobserverobserver.geo.country_namekeywordcoreCanadaCountry name.
6258.11.0trueobserverobserver.geo.locationgeo_pointcore{ "lon": -73.614830, "lat": 45.505918 }Longitude and latitude.
6268.11.0trueobserverobserver.geo.namekeywordextendedboston-dcUser-defined description of a location.
6278.11.0trueobserverobserver.geo.postal_codekeywordcore94040Postal code.
6288.11.0trueobserverobserver.geo.region_iso_codekeywordcoreCA-QCRegion ISO code.
6298.11.0trueobserverobserver.geo.region_namekeywordcoreQuebecRegion name.
6308.11.0trueobserverobserver.geo.timezonekeywordcoreAmerica/Argentina/Buenos_AiresTime zone.
6318.11.0trueobserverobserver.hostnamekeywordcoreHostname of the observer.
6328.11.0trueobserverobserver.ingressobjectextendedObject field for ingress information
6338.11.0trueobserverobserver.ingress.interface.aliaskeywordextendedoutsideInterface alias
6348.11.0trueobserverobserver.ingress.interface.idkeywordextended10Interface ID
6358.11.0trueobserverobserver.ingress.interface.mtulongcustom1500Maximum transmission unit size.
6368.11.0trueobserverobserver.ingress.interface.namekeywordextendedeth0Interface name
6378.11.0trueobserverobserver.ingress.interface.statekeywordcustomupState of the network interface.
6388.11.0trueobserverobserver.ingress.interface.typekeywordcustomethernetInterface type.
6398.11.0trueobserverobserver.ingress.vlan.idkeywordextended10VLAN ID as reported by the observer.
6408.11.0trueobserverobserver.ingress.vlan.namekeywordextendedoutsideOptional VLAN name as reported by the observer.
6418.11.0trueobserverobserver.ingress.zonekeywordextendedDMZObserver ingress zone
6428.11.0trueobserverobserver.ipipcorearrayIP addresses of the observer.
6438.11.0trueobserverobserver.mackeywordcorearray["00-00-5E-00-53-23", "00-00-5E-00-53-24"]MAC addresses of the observer.
6448.11.0trueobserverobserver.namekeywordextended1_proxySGCustom name of the observer.
6458.11.0trueobserverobserver.os.familykeywordextendeddebianOS family (such as redhat, debian, freebsd, windows).
6468.11.0trueobserverobserver.os.fullkeywordextendedMac OS MojaveOperating system name, including the version or code name.
6478.11.0trueobserverobserver.os.full.textkeywordextendedMac OS MojaveOperating system name, including the version or code name.
6488.11.0trueobserverobserver.os.kernelkeywordextended4.4.0-112-genericOperating system kernel version as a raw string.
6498.11.0trueobserverobserver.os.namekeywordextendedMac OS XOperating system name, without the version.
6508.11.0trueobserverobserver.os.name.textkeywordextendedMac OS XOperating system name, without the version.
6518.11.0trueobserverobserver.os.platformkeywordextendeddarwinOperating system platform (such centos, ubuntu, windows).
6528.11.0trueobserverobserver.os.typekeywordextendedmacosWhich commercial OS family (one of: linux, macos, unix, windows, ios or android).
6538.11.0trueobserverobserver.os.versionkeywordextended10.14.1Operating system version as a raw string.
6548.11.0trueobserverobserver.productkeywordextendeds200The product name of the observer.
6558.11.0trueobserverobserver.serial_numberkeywordextendedObserver serial number.
6568.11.0trueobserverobserver.typekeywordcorefirewallThe type of the observer the data is coming from.
6578.11.0trueobserverobserver.vendorkeywordcoreSymantecVendor name of the observer.
6588.11.0trueobserverobserver.versionkeywordcoreObserver version.
6598.11.0trueorchestratororchestrator.api_versionkeywordextendedv1beta1API version being used to carry out the action
6608.11.0trueorchestratororchestrator.cluster.idkeywordextendedUnique ID of the cluster.
6618.11.0trueorchestratororchestrator.cluster.namekeywordextendedName of the cluster.
6628.11.0trueorchestratororchestrator.cluster.urlkeywordextendedURL of the API used to manage the cluster.
6638.11.0trueorchestratororchestrator.cluster.versionkeywordextendedThe version of the cluster.
6648.11.0trueorchestratororchestrator.namespacekeywordextendedkube-systemNamespace in which the action is taking place.
6658.11.0trueorchestratororchestrator.organizationkeywordextendedelasticOrganization affected by the event (for multi-tenant orchestrator setups).
6668.11.0trueorchestratororchestrator.resource.annotationkeywordextendedarray['key1:value1', 'key2:value2', 'key3:value3']The list of annotations added to the resource.
6678.11.0trueorchestratororchestrator.resource.idkeywordextendedUnique ID of the resource being acted upon.
6688.11.0trueorchestratororchestrator.resource.ipipextendedarrayIP address assigned to the resource associated with the event being observed.
6698.11.0trueorchestratororchestrator.resource.labelkeywordextendedarray['key1:value1', 'key2:value2', 'key3:value3']The list of labels added to the resource.
6708.11.0trueorchestratororchestrator.resource.namekeywordextendedtest-pod-cdcwsName of the resource being acted upon.
6718.11.0trueorchestratororchestrator.resource.parent.typekeywordextendedDaemonSetType or kind of the parent resource associated with the event being observed.
6728.11.0trueorchestratororchestrator.resource.typekeywordextendedserviceType of resource being acted upon.
6738.11.0trueorchestratororchestrator.typekeywordextendedkubernetesOrchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
6748.11.0trueorganizationorganization.idkeywordextendedUnique identifier for the organization.
6758.11.0trueorganizationorganization.namekeywordextendedOrganization name.
6768.11.0trueorganizationorganization.name.textkeywordextendedOrganization name.
6778.11.0truepackagepackage.architecturekeywordextendedx86_64Package architecture.
6788.11.0truepackagepackage.build_versionkeywordextended36f4f7e89dd61b0988b12ee000b98966867710cdBuild version information
6798.11.0truepackagepackage.checksumkeywordextended68b329da9893e34099c7d8ad5cb9c940Checksum of the installed package for verification.
6808.11.0truepackagepackage.descriptionkeywordextendedOpen source programming language to build simple/reliable/efficient software.Description of the package.
6818.11.0truepackagepackage.install_scopekeywordextendedglobalIndicating how the package was installed, e.g. user-local, global.
6828.11.0truepackagepackage.installeddateextendedTime when package was installed.
6838.11.0truepackagepackage.licensekeywordextendedApache License 2.0Package license
6848.11.0truepackagepackage.namekeywordextendedgoPackage name
6858.11.0truepackagepackage.pathkeywordextended/usr/local/Cellar/go/1.12.9/Path where the package is installed.
6868.11.0truepackagepackage.referencekeywordextendedhttps://golang.orgPackage home page or reference URL
6878.11.0truepackagepackage.sizelongextended62231Package size in bytes.
6888.11.0truepackagepackage.typekeywordextendedrpmPackage type
6898.11.0truepackagepackage.versionkeywordextended1.12.9Package version
6908.11.0truepolicypolicy.descriptionkeywordcustom"The CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 is a comprehensive security configuration guide that provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Windows 11 Enterprise."Extended description of the policy.
6918.11.0truepolicypolicy.filekeywordcustomcis_win11_enterprise.ymlThe file name of the SCA policy.
6928.11.0truepolicypolicy.idkeywordcustomcis_win11_enterprise_21H2The ID of the SCA policy.
6938.11.0truepolicypolicy.namekeywordcustomCIS Microsoft Windows 11 Enterprise Benchmark v1.0.0The name of the SCA policy.
6948.11.0truepolicypolicy.referenceskeywordcustomarray["https://www.cisecurity.org/cis-benchmarks/"]References for the policy.
6958.11.0trueprocessprocess.argskeywordextendedarray["/usr/bin/ssh", "-l", "user", "10.0.0.16"]Array of process arguments.
6968.11.0trueprocessprocess.args_countlongextended4Length of the process.args array.
6978.11.0trueprocessprocess.code_signature.digest_algorithmkeywordextendedsha256Hashing algorithm used to sign the process.
6988.11.0trueprocessprocess.code_signature.existsbooleancoretrueBoolean to capture if a signature is present.
6998.11.0trueprocessprocess.code_signature.signing_idkeywordextendedcom.apple.xpc.proxyThe identifier used to sign the process.
7008.11.0trueprocessprocess.code_signature.statuskeywordextendedERROR_UNTRUSTED_ROOTAdditional information about the certificate status.
7018.11.0trueprocessprocess.code_signature.subject_namekeywordcoreMicrosoft CorporationSubject name of the code signer
7028.11.0trueprocessprocess.code_signature.team_idkeywordextendedEQHXZ8M8AVThe team identifier used to sign the process.
7038.11.0trueprocessprocess.code_signature.timestampdateextended2021-01-01T12:10:30ZWhen the signature was generated and signed.
7048.11.0trueprocessprocess.code_signature.trustedbooleanextendedtrueStores the trust status of the certificate chain.
7058.11.0trueprocessprocess.code_signature.validbooleanextendedtrueBoolean to capture if the digital signature is verified against the binary content.
7068.11.0trueprocessprocess.command_linekeywordextended/usr/bin/ssh -l user 10.0.0.16Full command line that started the process.
7078.11.0trueprocessprocess.command_line.textkeywordextended/usr/bin/ssh -l user 10.0.0.16Full command line that started the process.
7088.11.0trueprocessprocess.elf.architecturekeywordextendedx86-64Machine architecture of the ELF file.
7098.11.0trueprocessprocess.elf.byte_orderkeywordextendedLittle EndianByte sequence of ELF file.
7108.11.0trueprocessprocess.elf.cpu_typekeywordextendedIntelCPU type of the ELF file.
7118.11.0trueprocessprocess.elf.creation_datedateextendedBuild or compile date.
7128.11.0trueprocessprocess.elf.exportsflat_objectextendedarrayList of exported element names and types.
7138.11.0trueprocessprocess.elf.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in an ELF file.
7148.11.0trueprocessprocess.elf.go_importsflat_objectextendedList of imported Go language element names and types.
7158.11.0trueprocessprocess.elf.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
7168.11.0trueprocessprocess.elf.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
7178.11.0trueprocessprocess.elf.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
7188.11.0trueprocessprocess.elf.header.abi_versionkeywordextendedVersion of the ELF Application Binary Interface (ABI).
7198.11.0trueprocessprocess.elf.header.classkeywordextendedHeader class of the ELF file.
7208.11.0trueprocessprocess.elf.header.datakeywordextendedData table of the ELF header.
7218.11.0trueprocessprocess.elf.header.entrypointlongextendedHeader entrypoint of the ELF file.
7228.11.0trueprocessprocess.elf.header.object_versionkeywordextended"0x1" for original ELF files.
7238.11.0trueprocessprocess.elf.header.os_abikeywordextendedApplication Binary Interface (ABI) of the Linux OS.
7248.11.0trueprocessprocess.elf.header.typekeywordextendedHeader type of the ELF file.
7258.11.0trueprocessprocess.elf.header.versionkeywordextendedVersion of the ELF header.
7268.11.0trueprocessprocess.elf.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in an ELF file.
7278.11.0trueprocessprocess.elf.importsflat_objectextendedarrayList of imported element names and types.
7288.11.0trueprocessprocess.elf.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
7298.11.0trueprocessprocess.elf.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
7308.11.0trueprocessprocess.elf.sectionsnestedextendedarraySection information of the ELF file.
7318.11.0trueprocessprocess.elf.sections.chi2longextendedChi-square probability distribution of the section.
7328.11.0trueprocessprocess.elf.sections.entropylongextendedShannon entropy calculation from the section.
7338.11.0trueprocessprocess.elf.sections.flagskeywordextendedELF Section List flags.
7348.11.0trueprocessprocess.elf.sections.namekeywordextendedELF Section List name.
7358.11.0trueprocessprocess.elf.sections.physical_offsetkeywordextendedELF Section List offset.
7368.11.0trueprocessprocess.elf.sections.physical_sizelongextendedELF Section List physical size.
7378.11.0trueprocessprocess.elf.sections.typekeywordextendedELF Section List type.
7388.11.0trueprocessprocess.elf.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
7398.11.0trueprocessprocess.elf.sections.virtual_addresslongextendedELF Section List virtual address.
7408.11.0trueprocessprocess.elf.sections.virtual_sizelongextendedELF Section List virtual size.
7418.11.0trueprocessprocess.elf.segmentsnestedextendedarrayELF object segment list.
7428.11.0trueprocessprocess.elf.segments.sectionskeywordextendedELF object segment sections.
7438.11.0trueprocessprocess.elf.segments.typekeywordextendedELF object segment type.
7448.11.0trueprocessprocess.elf.shared_librarieskeywordextendedarrayList of shared libraries used by this ELF object.
7458.11.0trueprocessprocess.elf.telfhashkeywordextendedtelfhash hash for ELF file.
7468.11.0trueprocessprocess.enddateextended2016-05-23T08:05:34.853ZThe time the process ended.
7478.11.0trueprocessprocess.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
7488.11.0trueprocessprocess.entry_leader.argskeywordextendedarray["/usr/bin/ssh", "-l", "user", "10.0.0.16"]Array of process arguments.
7498.11.0trueprocessprocess.entry_leader.args_countlongextended4Length of the process.args array.
7508.11.0trueprocessprocess.entry_leader.attested_groups.namekeywordextendedName of the group.
7518.11.0trueprocessprocess.entry_leader.attested_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
7528.11.0trueprocessprocess.entry_leader.attested_user.namekeywordcorea.einsteinShort name or login of the user.
7538.11.0trueprocessprocess.entry_leader.attested_user.name.textkeywordcorea.einsteinShort name or login of the user.
7548.11.0trueprocessprocess.entry_leader.command_linekeywordextended/usr/bin/ssh -l user 10.0.0.16Full command line that started the process.
7558.11.0trueprocessprocess.entry_leader.command_line.textkeywordextended/usr/bin/ssh -l user 10.0.0.16Full command line that started the process.
7568.11.0trueprocessprocess.entry_leader.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
7578.11.0trueprocessprocess.entry_leader.entry_meta.source.ipipcoreIP address of the source.
7588.11.0trueprocessprocess.entry_leader.entry_meta.typekeywordextendedThe entry type for the entry session leader.
7598.11.0trueprocessprocess.entry_leader.executablekeywordextended/usr/bin/sshAbsolute path to the process executable.
7608.11.0trueprocessprocess.entry_leader.executable.textkeywordextended/usr/bin/sshAbsolute path to the process executable.
7618.11.0trueprocessprocess.entry_leader.group.idkeywordextendedUnique identifier for the group on the system/platform.
7628.11.0trueprocessprocess.entry_leader.group.namekeywordextendedName of the group.
7638.11.0trueprocessprocess.entry_leader.interactivebooleanextendedTrueWhether the process is connected to an interactive shell.
7648.11.0trueprocessprocess.entry_leader.namekeywordextendedsshProcess name.
7658.11.0trueprocessprocess.entry_leader.name.textkeywordextendedsshProcess name.
7668.11.0trueprocessprocess.entry_leader.parent.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
7678.11.0trueprocessprocess.entry_leader.parent.pidlongcore4242Process id.
7688.11.0trueprocessprocess.entry_leader.parent.session_leader.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
7698.11.0trueprocessprocess.entry_leader.parent.session_leader.pidlongcore4242Process id.
7708.11.0trueprocessprocess.entry_leader.parent.session_leader.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
7718.11.0trueprocessprocess.entry_leader.parent.session_leader.vpidlongcore4242Virtual process id.
7728.11.0trueprocessprocess.entry_leader.parent.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
7738.11.0trueprocessprocess.entry_leader.parent.vpidlongcore4242Virtual process id.
7748.11.0trueprocessprocess.entry_leader.pidlongcore4242Process id.
7758.11.0trueprocessprocess.entry_leader.real_group.idkeywordextendedUnique identifier for the group on the system/platform.
7768.11.0trueprocessprocess.entry_leader.real_group.namekeywordextendedName of the group.
7778.11.0trueprocessprocess.entry_leader.real_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
7788.11.0trueprocessprocess.entry_leader.real_user.namekeywordcorea.einsteinShort name or login of the user.
7798.11.0trueprocessprocess.entry_leader.real_user.name.textkeywordcorea.einsteinShort name or login of the user.
7808.11.0trueprocessprocess.entry_leader.same_as_processbooleanextendedTrueThis boolean is used to identify if a leader process is the same as the top level process.
7818.11.0trueprocessprocess.entry_leader.saved_group.idkeywordextendedUnique identifier for the group on the system/platform.
7828.11.0trueprocessprocess.entry_leader.saved_group.namekeywordextendedName of the group.
7838.11.0trueprocessprocess.entry_leader.saved_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
7848.11.0trueprocessprocess.entry_leader.saved_user.namekeywordcorea.einsteinShort name or login of the user.
7858.11.0trueprocessprocess.entry_leader.saved_user.name.textkeywordcorea.einsteinShort name or login of the user.
7868.11.0trueprocessprocess.entry_leader.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
7878.11.0trueprocessprocess.entry_leader.supplemental_groups.idkeywordextendedUnique identifier for the group on the system/platform.
7888.11.0trueprocessprocess.entry_leader.supplemental_groups.namekeywordextendedName of the group.
7898.11.0trueprocessprocess.entry_leader.ttyobjectextendedInformation about the controlling TTY device.
7908.11.0trueprocessprocess.entry_leader.tty.char_device.majorlongextended4The TTY character device's major number.
7918.11.0trueprocessprocess.entry_leader.tty.char_device.minorlongextended1The TTY character device's minor number.
7928.11.0trueprocessprocess.entry_leader.user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
7938.11.0trueprocessprocess.entry_leader.user.namekeywordcorea.einsteinShort name or login of the user.
7948.11.0trueprocessprocess.entry_leader.user.name.textkeywordcorea.einsteinShort name or login of the user.
7958.11.0trueprocessprocess.entry_leader.vpidlongcore4242Virtual process id.
7968.11.0trueprocessprocess.entry_leader.working_directorykeywordextended/home/aliceThe working directory of the process.
7978.11.0trueprocessprocess.entry_leader.working_directory.textkeywordextended/home/aliceThe working directory of the process.
7988.11.0trueprocessprocess.env_varskeywordextendedarray["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]Array of environment variable bindings.
7998.11.0trueprocessprocess.executablekeywordextended/usr/bin/sshAbsolute path to the process executable.
8008.11.0trueprocessprocess.executable.textkeywordextended/usr/bin/sshAbsolute path to the process executable.
8018.11.0trueprocessprocess.exit_codelongextended137The exit code of the process.
8028.11.0trueprocessprocess.group_leader.argskeywordextendedarray["/usr/bin/ssh", "-l", "user", "10.0.0.16"]Array of process arguments.
8038.11.0trueprocessprocess.group_leader.args_countlongextended4Length of the process.args array.
8048.11.0trueprocessprocess.group_leader.command_linekeywordextended/usr/bin/ssh -l user 10.0.0.16Full command line that started the process.
8058.11.0trueprocessprocess.group_leader.command_line.textkeywordextended/usr/bin/ssh -l user 10.0.0.16Full command line that started the process.
8068.11.0trueprocessprocess.group_leader.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
8078.11.0trueprocessprocess.group_leader.executablekeywordextended/usr/bin/sshAbsolute path to the process executable.
8088.11.0trueprocessprocess.group_leader.executable.textkeywordextended/usr/bin/sshAbsolute path to the process executable.
8098.11.0trueprocessprocess.group_leader.group.idkeywordextendedUnique identifier for the group on the system/platform.
8108.11.0trueprocessprocess.group_leader.group.namekeywordextendedName of the group.
8118.11.0trueprocessprocess.group_leader.interactivebooleanextendedTrueWhether the process is connected to an interactive shell.
8128.11.0trueprocessprocess.group_leader.namekeywordextendedsshProcess name.
8138.11.0trueprocessprocess.group_leader.name.textkeywordextendedsshProcess name.
8148.11.0trueprocessprocess.group_leader.pidlongcore4242Process id.
8158.11.0trueprocessprocess.group_leader.real_group.idkeywordextendedUnique identifier for the group on the system/platform.
8168.11.0trueprocessprocess.group_leader.real_group.namekeywordextendedName of the group.
8178.11.0trueprocessprocess.group_leader.real_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
8188.11.0trueprocessprocess.group_leader.real_user.namekeywordcorea.einsteinShort name or login of the user.
8198.11.0trueprocessprocess.group_leader.real_user.name.textkeywordcorea.einsteinShort name or login of the user.
8208.11.0trueprocessprocess.group_leader.same_as_processbooleanextendedTrueThis boolean is used to identify if a leader process is the same as the top level process.
8218.11.0trueprocessprocess.group_leader.saved_group.idkeywordextendedUnique identifier for the group on the system/platform.
8228.11.0trueprocessprocess.group_leader.saved_group.namekeywordextendedName of the group.
8238.11.0trueprocessprocess.group_leader.saved_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
8248.11.0trueprocessprocess.group_leader.saved_user.namekeywordcorea.einsteinShort name or login of the user.
8258.11.0trueprocessprocess.group_leader.saved_user.name.textkeywordcorea.einsteinShort name or login of the user.
8268.11.0trueprocessprocess.group_leader.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
8278.11.0trueprocessprocess.group_leader.supplemental_groups.idkeywordextendedUnique identifier for the group on the system/platform.
8288.11.0trueprocessprocess.group_leader.supplemental_groups.namekeywordextendedName of the group.
8298.11.0trueprocessprocess.group_leader.ttyobjectextendedInformation about the controlling TTY device.
8308.11.0trueprocessprocess.group_leader.tty.char_device.majorlongextended4The TTY character device's major number.
8318.11.0trueprocessprocess.group_leader.tty.char_device.minorlongextended1The TTY character device's minor number.
8328.11.0trueprocessprocess.group_leader.user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
8338.11.0trueprocessprocess.group_leader.user.namekeywordcorea.einsteinShort name or login of the user.
8348.11.0trueprocessprocess.group_leader.user.name.textkeywordcorea.einsteinShort name or login of the user.
8358.11.0trueprocessprocess.group_leader.vpidlongcore4242Virtual process id.
8368.11.0trueprocessprocess.group_leader.working_directorykeywordextended/home/aliceThe working directory of the process.
8378.11.0trueprocessprocess.group_leader.working_directory.textkeywordextended/home/aliceThe working directory of the process.
8388.11.0trueprocessprocess.hash.md5keywordextendedMD5 hash.
8398.11.0trueprocessprocess.hash.sha1keywordextendedSHA1 hash.
8408.11.0trueprocessprocess.hash.sha256keywordextendedSHA256 hash.
8418.11.0trueprocessprocess.hash.sha384keywordextendedSHA384 hash.
8428.11.0trueprocessprocess.hash.sha512keywordextendedSHA512 hash.
8438.11.0trueprocessprocess.hash.ssdeepkeywordextendedSSDEEP hash.
8448.11.0trueprocessprocess.hash.tlshkeywordextendedTLSH hash.
8458.11.0trueprocessprocess.interactivebooleanextendedTrueWhether the process is connected to an interactive shell.
8468.11.0trueprocessprocess.ioobjectextendedA chunk of input or output (IO) from a single process.
8478.11.0trueprocessprocess.io.bytes_skippedobjectextendedarrayAn array of byte offsets and lengths denoting where IO data has been skipped.
8488.11.0trueprocessprocess.io.bytes_skipped.lengthlongextendedThe length of bytes skipped.
8498.11.0trueprocessprocess.io.bytes_skipped.offsetlongextendedThe byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped.
8508.11.0trueprocessprocess.io.max_bytes_per_process_exceededbooleanextendedIf true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting.
8518.11.0trueprocessprocess.io.textkeywordextendedA chunk of output or input sanitized to UTF-8.
8528.11.0trueprocessprocess.io.total_bytes_capturedlongextendedThe total number of bytes captured in this event.
8538.11.0trueprocessprocess.io.total_bytes_skippedlongextendedThe total number of bytes that were not captured due to implementation restrictions such as buffer size limits.
8548.11.0trueprocessprocess.io.typekeywordextendedThe type of object on which the IO action (read or write) was taken.
8558.11.0trueprocessprocess.macho.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in a Mach-O file.
8568.11.0trueprocessprocess.macho.go_importsflat_objectextendedList of imported Go language element names and types.
8578.11.0trueprocessprocess.macho.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
8588.11.0trueprocessprocess.macho.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
8598.11.0trueprocessprocess.macho.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
8608.11.0trueprocessprocess.macho.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in a Mach-O file.
8618.11.0trueprocessprocess.macho.importsflat_objectextendedarrayList of imported element names and types.
8628.11.0trueprocessprocess.macho.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
8638.11.0trueprocessprocess.macho.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
8648.11.0trueprocessprocess.macho.sectionsnestedextendedarraySection information of the Mach-O file.
8658.11.0trueprocessprocess.macho.sections.entropylongextendedShannon entropy calculation from the section.
8668.11.0trueprocessprocess.macho.sections.namekeywordextendedMach-O Section List name.
8678.11.0trueprocessprocess.macho.sections.physical_sizelongextendedMach-O Section List physical size.
8688.11.0trueprocessprocess.macho.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
8698.11.0trueprocessprocess.macho.sections.virtual_sizelongextendedMach-O Section List virtual size. This is always the same as `physical_size`.
8708.11.0trueprocessprocess.macho.symhashkeywordextendedd3ccf195b62a9279c3c19af1080497ecA hash of the imports in a Mach-O file.
8718.11.0trueprocessprocess.namekeywordextendedsshProcess name.
8728.11.0trueprocessprocess.name.textkeywordextendedsshProcess name.
8738.11.0trueprocessprocess.parent.argskeywordextendedarray["/usr/bin/ssh", "-l", "user", "10.0.0.16"]Array of process arguments.
8748.11.0trueprocessprocess.parent.args_countlongextended4Length of the process.args array.
8758.11.0trueprocessprocess.parent.code_signature.digest_algorithmkeywordextendedsha256Hashing algorithm used to sign the process.
8768.11.0trueprocessprocess.parent.code_signature.existsbooleancoretrueBoolean to capture if a signature is present.
8778.11.0trueprocessprocess.parent.code_signature.signing_idkeywordextendedcom.apple.xpc.proxyThe identifier used to sign the process.
8788.11.0trueprocessprocess.parent.code_signature.statuskeywordextendedERROR_UNTRUSTED_ROOTAdditional information about the certificate status.
8798.11.0trueprocessprocess.parent.code_signature.subject_namekeywordcoreMicrosoft CorporationSubject name of the code signer
8808.11.0trueprocessprocess.parent.code_signature.team_idkeywordextendedEQHXZ8M8AVThe team identifier used to sign the process.
8818.11.0trueprocessprocess.parent.code_signature.timestampdateextended2021-01-01T12:10:30ZWhen the signature was generated and signed.
8828.11.0trueprocessprocess.parent.code_signature.trustedbooleanextendedtrueStores the trust status of the certificate chain.
8838.11.0trueprocessprocess.parent.code_signature.validbooleanextendedtrueBoolean to capture if the digital signature is verified against the binary content.
8848.11.0trueprocessprocess.parent.command_linekeywordextended/usr/bin/ssh -l user 10.0.0.16Full command line that started the process.
8858.11.0trueprocessprocess.parent.command_line.textkeywordextended/usr/bin/ssh -l user 10.0.0.16Full command line that started the process.
8868.11.0trueprocessprocess.parent.elf.architecturekeywordextendedx86-64Machine architecture of the ELF file.
8878.11.0trueprocessprocess.parent.elf.byte_orderkeywordextendedLittle EndianByte sequence of ELF file.
8888.11.0trueprocessprocess.parent.elf.cpu_typekeywordextendedIntelCPU type of the ELF file.
8898.11.0trueprocessprocess.parent.elf.creation_datedateextendedBuild or compile date.
8908.11.0trueprocessprocess.parent.elf.exportsflat_objectextendedarrayList of exported element names and types.
8918.11.0trueprocessprocess.parent.elf.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in an ELF file.
8928.11.0trueprocessprocess.parent.elf.go_importsflat_objectextendedList of imported Go language element names and types.
8938.11.0trueprocessprocess.parent.elf.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
8948.11.0trueprocessprocess.parent.elf.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
8958.11.0trueprocessprocess.parent.elf.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
8968.11.0trueprocessprocess.parent.elf.header.abi_versionkeywordextendedVersion of the ELF Application Binary Interface (ABI).
8978.11.0trueprocessprocess.parent.elf.header.classkeywordextendedHeader class of the ELF file.
8988.11.0trueprocessprocess.parent.elf.header.datakeywordextendedData table of the ELF header.
8998.11.0trueprocessprocess.parent.elf.header.entrypointlongextendedHeader entrypoint of the ELF file.
9008.11.0trueprocessprocess.parent.elf.header.object_versionkeywordextended"0x1" for original ELF files.
9018.11.0trueprocessprocess.parent.elf.header.os_abikeywordextendedApplication Binary Interface (ABI) of the Linux OS.
9028.11.0trueprocessprocess.parent.elf.header.typekeywordextendedHeader type of the ELF file.
9038.11.0trueprocessprocess.parent.elf.header.versionkeywordextendedVersion of the ELF header.
9048.11.0trueprocessprocess.parent.elf.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in an ELF file.
9058.11.0trueprocessprocess.parent.elf.importsflat_objectextendedarrayList of imported element names and types.
9068.11.0trueprocessprocess.parent.elf.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
9078.11.0trueprocessprocess.parent.elf.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
9088.11.0trueprocessprocess.parent.elf.sectionsnestedextendedarraySection information of the ELF file.
9098.11.0trueprocessprocess.parent.elf.sections.chi2longextendedChi-square probability distribution of the section.
9108.11.0trueprocessprocess.parent.elf.sections.entropylongextendedShannon entropy calculation from the section.
9118.11.0trueprocessprocess.parent.elf.sections.flagskeywordextendedELF Section List flags.
9128.11.0trueprocessprocess.parent.elf.sections.namekeywordextendedELF Section List name.
9138.11.0trueprocessprocess.parent.elf.sections.physical_offsetkeywordextendedELF Section List offset.
9148.11.0trueprocessprocess.parent.elf.sections.physical_sizelongextendedELF Section List physical size.
9158.11.0trueprocessprocess.parent.elf.sections.typekeywordextendedELF Section List type.
9168.11.0trueprocessprocess.parent.elf.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
9178.11.0trueprocessprocess.parent.elf.sections.virtual_addresslongextendedELF Section List virtual address.
9188.11.0trueprocessprocess.parent.elf.sections.virtual_sizelongextendedELF Section List virtual size.
9198.11.0trueprocessprocess.parent.elf.segmentsnestedextendedarrayELF object segment list.
9208.11.0trueprocessprocess.parent.elf.segments.sectionskeywordextendedELF object segment sections.
9218.11.0trueprocessprocess.parent.elf.segments.typekeywordextendedELF object segment type.
9228.11.0trueprocessprocess.parent.elf.shared_librarieskeywordextendedarrayList of shared libraries used by this ELF object.
9238.11.0trueprocessprocess.parent.elf.telfhashkeywordextendedtelfhash hash for ELF file.
9248.11.0trueprocessprocess.parent.enddateextended2016-05-23T08:05:34.853ZThe time the process ended.
9258.11.0trueprocessprocess.parent.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
9268.11.0trueprocessprocess.parent.executablekeywordextended/usr/bin/sshAbsolute path to the process executable.
9278.11.0trueprocessprocess.parent.executable.textkeywordextended/usr/bin/sshAbsolute path to the process executable.
9288.11.0trueprocessprocess.parent.exit_codelongextended137The exit code of the process.
9298.11.0trueprocessprocess.parent.group.idkeywordextendedUnique identifier for the group on the system/platform.
9308.11.0trueprocessprocess.parent.group.namekeywordextendedName of the group.
9318.11.0trueprocessprocess.parent.group_leader.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
9328.11.0trueprocessprocess.parent.group_leader.pidlongcore4242Process id.
9338.11.0trueprocessprocess.parent.group_leader.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
9348.11.0trueprocessprocess.parent.group_leader.vpidlongcore4242Virtual process id.
9358.11.0trueprocessprocess.parent.hash.md5keywordextendedMD5 hash.
9368.11.0trueprocessprocess.parent.hash.sha1keywordextendedSHA1 hash.
9378.11.0trueprocessprocess.parent.hash.sha256keywordextendedSHA256 hash.
9388.11.0trueprocessprocess.parent.hash.sha384keywordextendedSHA384 hash.
9398.11.0trueprocessprocess.parent.hash.sha512keywordextendedSHA512 hash.
9408.11.0trueprocessprocess.parent.hash.ssdeepkeywordextendedSSDEEP hash.
9418.11.0trueprocessprocess.parent.hash.tlshkeywordextendedTLSH hash.
9428.11.0trueprocessprocess.parent.interactivebooleanextendedTrueWhether the process is connected to an interactive shell.
9438.11.0trueprocessprocess.parent.macho.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in a Mach-O file.
9448.11.0trueprocessprocess.parent.macho.go_importsflat_objectextendedList of imported Go language element names and types.
9458.11.0trueprocessprocess.parent.macho.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
9468.11.0trueprocessprocess.parent.macho.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
9478.11.0trueprocessprocess.parent.macho.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
9488.11.0trueprocessprocess.parent.macho.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in a Mach-O file.
9498.11.0trueprocessprocess.parent.macho.importsflat_objectextendedarrayList of imported element names and types.
9508.11.0trueprocessprocess.parent.macho.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
9518.11.0trueprocessprocess.parent.macho.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
9528.11.0trueprocessprocess.parent.macho.sectionsnestedextendedarraySection information of the Mach-O file.
9538.11.0trueprocessprocess.parent.macho.sections.entropylongextendedShannon entropy calculation from the section.
9548.11.0trueprocessprocess.parent.macho.sections.namekeywordextendedMach-O Section List name.
9558.11.0trueprocessprocess.parent.macho.sections.physical_sizelongextendedMach-O Section List physical size.
9568.11.0trueprocessprocess.parent.macho.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
9578.11.0trueprocessprocess.parent.macho.sections.virtual_sizelongextendedMach-O Section List virtual size. This is always the same as `physical_size`.
9588.11.0trueprocessprocess.parent.macho.symhashkeywordextendedd3ccf195b62a9279c3c19af1080497ecA hash of the imports in a Mach-O file.
9598.11.0trueprocessprocess.parent.namekeywordextendedsshProcess name.
9608.11.0trueprocessprocess.parent.name.textkeywordextendedsshProcess name.
9618.11.0trueprocessprocess.parent.pe.architecturekeywordextendedx64CPU architecture target for the file.
9628.11.0trueprocessprocess.parent.pe.companykeywordextendedMicrosoft CorporationInternal company name of the file, provided at compile-time.
9638.11.0trueprocessprocess.parent.pe.descriptionkeywordextendedPaintInternal description of the file, provided at compile-time.
9648.11.0trueprocessprocess.parent.pe.file_versionkeywordextended6.3.9600.17415Process name.
9658.11.0trueprocessprocess.parent.pe.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in a PE file.
9668.11.0trueprocessprocess.parent.pe.go_importsflat_objectextendedList of imported Go language element names and types.
9678.11.0trueprocessprocess.parent.pe.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
9688.11.0trueprocessprocess.parent.pe.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
9698.11.0trueprocessprocess.parent.pe.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
9708.11.0trueprocessprocess.parent.pe.imphashkeywordextended0c6803c4e922103c4dca5963aad36ddfA hash of the imports in a PE file.
9718.11.0trueprocessprocess.parent.pe.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in a PE file.
9728.11.0trueprocessprocess.parent.pe.importsflat_objectextendedarrayList of imported element names and types.
9738.11.0trueprocessprocess.parent.pe.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
9748.11.0trueprocessprocess.parent.pe.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
9758.11.0trueprocessprocess.parent.pe.original_file_namekeywordextendedMSPAINT.EXEInternal name of the file, provided at compile-time.
9768.11.0trueprocessprocess.parent.pe.pehashkeywordextended73ff189b63cd6be375a7ff25179a38d347651975A hash of the PE header and data from one or more PE sections.
9778.11.0trueprocessprocess.parent.pe.productkeywordextendedMicrosoft® Windows® Operating SystemInternal product name of the file, provided at compile-time.
9788.11.0trueprocessprocess.parent.pe.sectionsnestedextendedarraySection information of the PE file.
9798.11.0trueprocessprocess.parent.pe.sections.entropylongextendedShannon entropy calculation from the section.
9808.11.0trueprocessprocess.parent.pe.sections.namekeywordextendedPE Section List name.
9818.11.0trueprocessprocess.parent.pe.sections.physical_sizelongextendedPE Section List physical size.
9828.11.0trueprocessprocess.parent.pe.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
9838.11.0trueprocessprocess.parent.pe.sections.virtual_sizelongextendedPE Section List virtual size. This is always the same as `physical_size`.
9848.11.0trueprocessprocess.parent.pgidlongextendedDeprecated identifier of the group of processes the process belongs to.
9858.11.0trueprocessprocess.parent.pidlongcore4242Process id.
9868.11.0trueprocessprocess.parent.real_group.idkeywordextendedUnique identifier for the group on the system/platform.
9878.11.0trueprocessprocess.parent.real_group.namekeywordextendedName of the group.
9888.11.0trueprocessprocess.parent.real_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
9898.11.0trueprocessprocess.parent.real_user.namekeywordcorea.einsteinShort name or login of the user.
9908.11.0trueprocessprocess.parent.real_user.name.textkeywordcorea.einsteinShort name or login of the user.
9918.11.0trueprocessprocess.parent.saved_group.idkeywordextendedUnique identifier for the group on the system/platform.
9928.11.0trueprocessprocess.parent.saved_group.namekeywordextendedName of the group.
9938.11.0trueprocessprocess.parent.saved_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
9948.11.0trueprocessprocess.parent.saved_user.namekeywordcorea.einsteinShort name or login of the user.
9958.11.0trueprocessprocess.parent.saved_user.name.textkeywordcorea.einsteinShort name or login of the user.
9968.11.0trueprocessprocess.parent.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
9978.11.0trueprocessprocess.parent.supplemental_groups.idkeywordextendedUnique identifier for the group on the system/platform.
9988.11.0trueprocessprocess.parent.supplemental_groups.namekeywordextendedName of the group.
9998.11.0trueprocessprocess.parent.thread.capabilities.effectivekeywordextendedarray["CAP_BPF", "CAP_SYS_ADMIN"]Array of capabilities used for permission checks.
10008.11.0trueprocessprocess.parent.thread.capabilities.permittedkeywordextendedarray["CAP_BPF", "CAP_SYS_ADMIN"]Array of capabilities a thread could assume.
10018.11.0trueprocessprocess.parent.thread.idlongextended4242Thread ID.
10028.11.0trueprocessprocess.parent.thread.namekeywordextendedthread-0Thread name.
10038.11.0trueprocessprocess.parent.titlekeywordextendedProcess title.
10048.11.0trueprocessprocess.parent.title.textkeywordextendedProcess title.
10058.11.0trueprocessprocess.parent.ttyobjectextendedInformation about the controlling TTY device.
10068.11.0trueprocessprocess.parent.tty.char_device.majorlongextended4The TTY character device's major number.
10078.11.0trueprocessprocess.parent.tty.char_device.minorlongextended1The TTY character device's minor number.
10088.11.0trueprocessprocess.parent.uptimelongextended1325Seconds the process has been up.
10098.11.0trueprocessprocess.parent.user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
10108.11.0trueprocessprocess.parent.user.namekeywordcorea.einsteinShort name or login of the user.
10118.11.0trueprocessprocess.parent.user.name.textkeywordcorea.einsteinShort name or login of the user.
10128.11.0trueprocessprocess.parent.vpidlongcore4242Virtual process id.
10138.11.0trueprocessprocess.parent.working_directorykeywordextended/home/aliceThe working directory of the process.
10148.11.0trueprocessprocess.parent.working_directory.textkeywordextended/home/aliceThe working directory of the process.
10158.11.0trueprocessprocess.pe.architecturekeywordextendedx64CPU architecture target for the file.
10168.11.0trueprocessprocess.pe.companykeywordextendedMicrosoft CorporationInternal company name of the file, provided at compile-time.
10178.11.0trueprocessprocess.pe.descriptionkeywordextendedPaintInternal description of the file, provided at compile-time.
10188.11.0trueprocessprocess.pe.file_versionkeywordextended6.3.9600.17415Process name.
10198.11.0trueprocessprocess.pe.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in a PE file.
10208.11.0trueprocessprocess.pe.go_importsflat_objectextendedList of imported Go language element names and types.
10218.11.0trueprocessprocess.pe.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
10228.11.0trueprocessprocess.pe.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
10238.11.0trueprocessprocess.pe.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
10248.11.0trueprocessprocess.pe.imphashkeywordextended0c6803c4e922103c4dca5963aad36ddfA hash of the imports in a PE file.
10258.11.0trueprocessprocess.pe.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in a PE file.
10268.11.0trueprocessprocess.pe.importsflat_objectextendedarrayList of imported element names and types.
10278.11.0trueprocessprocess.pe.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
10288.11.0trueprocessprocess.pe.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
10298.11.0trueprocessprocess.pe.original_file_namekeywordextendedMSPAINT.EXEInternal name of the file, provided at compile-time.
10308.11.0trueprocessprocess.pe.pehashkeywordextended73ff189b63cd6be375a7ff25179a38d347651975A hash of the PE header and data from one or more PE sections.
10318.11.0trueprocessprocess.pe.productkeywordextendedMicrosoft® Windows® Operating SystemInternal product name of the file, provided at compile-time.
10328.11.0trueprocessprocess.pe.sectionsnestedextendedarraySection information of the PE file.
10338.11.0trueprocessprocess.pe.sections.entropylongextendedShannon entropy calculation from the section.
10348.11.0trueprocessprocess.pe.sections.namekeywordextendedPE Section List name.
10358.11.0trueprocessprocess.pe.sections.physical_sizelongextendedPE Section List physical size.
10368.11.0trueprocessprocess.pe.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
10378.11.0trueprocessprocess.pe.sections.virtual_sizelongextendedPE Section List virtual size. This is always the same as `physical_size`.
10388.11.0trueprocessprocess.pgidlongextendedDeprecated identifier of the group of processes the process belongs to.
10398.11.0trueprocessprocess.pidlongcore4242Process id.
10408.11.0trueprocessprocess.previous.argskeywordextendedarray["/usr/bin/ssh", "-l", "user", "10.0.0.16"]Array of process arguments.
10418.11.0trueprocessprocess.previous.args_countlongextended4Length of the process.args array.
10428.11.0trueprocessprocess.previous.executablekeywordextended/usr/bin/sshAbsolute path to the process executable.
10438.11.0trueprocessprocess.previous.executable.textkeywordextended/usr/bin/sshAbsolute path to the process executable.
10448.11.0trueprocessprocess.real_group.idkeywordextendedUnique identifier for the group on the system/platform.
10458.11.0trueprocessprocess.real_group.namekeywordextendedName of the group.
10468.11.0trueprocessprocess.real_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
10478.11.0trueprocessprocess.real_user.namekeywordcorea.einsteinShort name or login of the user.
10488.11.0trueprocessprocess.real_user.name.textkeywordcorea.einsteinShort name or login of the user.
10498.11.0trueprocessprocess.saved_group.idkeywordextendedUnique identifier for the group on the system/platform.
10508.11.0trueprocessprocess.saved_group.namekeywordextendedName of the group.
10518.11.0trueprocessprocess.saved_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
10528.11.0trueprocessprocess.saved_user.namekeywordcorea.einsteinShort name or login of the user.
10538.11.0trueprocessprocess.saved_user.name.textkeywordcorea.einsteinShort name or login of the user.
10548.11.0trueprocessprocess.session_leader.argskeywordextendedarray["/usr/bin/ssh", "-l", "user", "10.0.0.16"]Array of process arguments.
10558.11.0trueprocessprocess.session_leader.args_countlongextended4Length of the process.args array.
10568.11.0trueprocessprocess.session_leader.command_linekeywordextended/usr/bin/ssh -l user 10.0.0.16Full command line that started the process.
10578.11.0trueprocessprocess.session_leader.command_line.textkeywordextended/usr/bin/ssh -l user 10.0.0.16Full command line that started the process.
10588.11.0trueprocessprocess.session_leader.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
10598.11.0trueprocessprocess.session_leader.executablekeywordextended/usr/bin/sshAbsolute path to the process executable.
10608.11.0trueprocessprocess.session_leader.executable.textkeywordextended/usr/bin/sshAbsolute path to the process executable.
10618.11.0trueprocessprocess.session_leader.group.idkeywordextendedUnique identifier for the group on the system/platform.
10628.11.0trueprocessprocess.session_leader.group.namekeywordextendedName of the group.
10638.11.0trueprocessprocess.session_leader.interactivebooleanextendedTrueWhether the process is connected to an interactive shell.
10648.11.0trueprocessprocess.session_leader.namekeywordextendedsshProcess name.
10658.11.0trueprocessprocess.session_leader.name.textkeywordextendedsshProcess name.
10668.11.0trueprocessprocess.session_leader.parent.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
10678.11.0trueprocessprocess.session_leader.parent.pidlongcore4242Process id.
10688.11.0trueprocessprocess.session_leader.parent.session_leader.entity_idkeywordextendedc2c455d9f99375dUnique identifier for the process.
10698.11.0trueprocessprocess.session_leader.parent.session_leader.pidlongcore4242Process id.
10708.11.0trueprocessprocess.session_leader.parent.session_leader.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
10718.11.0trueprocessprocess.session_leader.parent.session_leader.vpidlongcore4242Virtual process id.
10728.11.0trueprocessprocess.session_leader.parent.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
10738.11.0trueprocessprocess.session_leader.parent.vpidlongcore4242Virtual process id.
10748.11.0trueprocessprocess.session_leader.pidlongcore4242Process id.
10758.11.0trueprocessprocess.session_leader.real_group.idkeywordextendedUnique identifier for the group on the system/platform.
10768.11.0trueprocessprocess.session_leader.real_group.namekeywordextendedName of the group.
10778.11.0trueprocessprocess.session_leader.real_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
10788.11.0trueprocessprocess.session_leader.real_user.namekeywordcorea.einsteinShort name or login of the user.
10798.11.0trueprocessprocess.session_leader.real_user.name.textkeywordcorea.einsteinShort name or login of the user.
10808.11.0trueprocessprocess.session_leader.same_as_processbooleanextendedTrueThis boolean is used to identify if a leader process is the same as the top level process.
10818.11.0trueprocessprocess.session_leader.saved_group.idkeywordextendedUnique identifier for the group on the system/platform.
10828.11.0trueprocessprocess.session_leader.saved_group.namekeywordextendedName of the group.
10838.11.0trueprocessprocess.session_leader.saved_user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
10848.11.0trueprocessprocess.session_leader.saved_user.namekeywordcorea.einsteinShort name or login of the user.
10858.11.0trueprocessprocess.session_leader.saved_user.name.textkeywordcorea.einsteinShort name or login of the user.
10868.11.0trueprocessprocess.session_leader.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
10878.11.0trueprocessprocess.session_leader.supplemental_groups.idkeywordextendedUnique identifier for the group on the system/platform.
10888.11.0trueprocessprocess.session_leader.supplemental_groups.namekeywordextendedName of the group.
10898.11.0trueprocessprocess.session_leader.ttyobjectextendedInformation about the controlling TTY device.
10908.11.0trueprocessprocess.session_leader.tty.char_device.majorlongextended4The TTY character device's major number.
10918.11.0trueprocessprocess.session_leader.tty.char_device.minorlongextended1The TTY character device's minor number.
10928.11.0trueprocessprocess.session_leader.user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
10938.11.0trueprocessprocess.session_leader.user.namekeywordcorea.einsteinShort name or login of the user.
10948.11.0trueprocessprocess.session_leader.user.name.textkeywordcorea.einsteinShort name or login of the user.
10958.11.0trueprocessprocess.session_leader.vpidlongcore4242Virtual process id.
10968.11.0trueprocessprocess.session_leader.working_directorykeywordextended/home/aliceThe working directory of the process.
10978.11.0trueprocessprocess.session_leader.working_directory.textkeywordextended/home/aliceThe working directory of the process.
10988.11.0trueprocessprocess.startdateextended2016-05-23T08:05:34.853ZThe time the process started.
10998.11.0trueprocessprocess.supplemental_groups.idkeywordextendedUnique identifier for the group on the system/platform.
11008.11.0trueprocessprocess.supplemental_groups.namekeywordextendedName of the group.
11018.11.0trueprocessprocess.thread.capabilities.effectivekeywordextendedarray["CAP_BPF", "CAP_SYS_ADMIN"]Array of capabilities used for permission checks.
11028.11.0trueprocessprocess.thread.capabilities.permittedkeywordextendedarray["CAP_BPF", "CAP_SYS_ADMIN"]Array of capabilities a thread could assume.
11038.11.0trueprocessprocess.thread.idlongextended4242Thread ID.
11048.11.0trueprocessprocess.thread.namekeywordextendedthread-0Thread name.
11058.11.0trueprocessprocess.titlekeywordextendedProcess title.
11068.11.0trueprocessprocess.title.textkeywordextendedProcess title.
11078.11.0trueprocessprocess.ttyobjectextendedInformation about the controlling TTY device.
11088.11.0trueprocessprocess.tty.char_device.majorlongextended4The TTY character device's major number.
11098.11.0trueprocessprocess.tty.char_device.minorlongextended1The TTY character device's minor number.
11108.11.0trueprocessprocess.tty.columnslongextended80The number of character columns per line. e.g terminal width
11118.11.0trueprocessprocess.tty.rowslongextended24The number of character rows in the terminal. e.g terminal height
11128.11.0trueprocessprocess.uptimelongextended1325Seconds the process has been up.
11138.11.0trueprocessprocess.user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
11148.11.0trueprocessprocess.user.namekeywordcorea.einsteinShort name or login of the user.
11158.11.0trueprocessprocess.user.name.textkeywordcorea.einsteinShort name or login of the user.
11168.11.0trueprocessprocess.vpidlongcore4242Virtual process id.
11178.11.0trueprocessprocess.working_directorykeywordextended/home/aliceThe working directory of the process.
11188.11.0trueprocessprocess.working_directory.textkeywordextended/home/aliceThe working directory of the process.
11198.11.0trueregistryregistry.data.byteskeywordextendedZQBuAC0AVQBTAAAAZQBuAAAAAAA=Original bytes written with base64 encoding.
11208.11.0trueregistryregistry.data.stringskeywordcorearray["C:\rta\red_ttp\bin\myapp.exe"]List of strings representing what was written to the registry.
11218.11.0trueregistryregistry.data.typekeywordcoreREG_SZStandard registry type for encoding contents
11228.11.0trueregistryregistry.hivekeywordcoreHKLMAbbreviated name for the hive.
11238.11.0trueregistryregistry.keykeywordcoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exeHive-relative path of keys.
11248.11.0trueregistryregistry.pathkeywordcoreHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\DebuggerFull path, including hive, key and value
11258.11.0trueregistryregistry.valuekeywordcoreDebuggerName of the value written.
11268.11.0truerelatedrelated.hashkeywordextendedarrayAll the hashes seen on your event.
11278.11.0truerelatedrelated.hostskeywordextendedarrayAll the host identifiers seen on your event.
11288.11.0truerelatedrelated.ipipextendedarrayAll of the IPs seen on your event.
11298.11.0truerelatedrelated.userkeywordextendedarrayAll the user names or other user identifiers seen on the event.
11308.11.0truerulerule.authorkeywordextendedarray["Star-Lord"]Rule author
11318.11.0truerulerule.categorykeywordextendedAttempted Information LeakRule category
11328.11.0truerulerule.descriptionkeywordextendedBlock requests to public DNS over HTTPS / TLS protocolsRule description
11338.11.0truerulerule.idkeywordextended101Rule ID
11348.11.0truerulerule.licensekeywordextendedApache 2.0Rule license
11358.11.0truerulerule.namekeywordextendedBLOCK_DNS_over_TLSRule name
11368.11.0truerulerule.referencekeywordextendedhttps://en.wikipedia.org/wiki/DNS_over_TLSRule reference URL
11378.11.0truerulerule.rulesetkeywordextendedStandard_Protocol_FiltersRule ruleset
11388.11.0truerulerule.uuidkeywordextended1100110011Rule UUID
11398.11.0truerulerule.versionkeywordextended1.1Rule version
11408.11.0trueserverserver.addresskeywordextendedServer network address.
11418.11.0trueserverserver.as.numberlongextended15169Unique number allocated to the autonomous system.
11428.11.0trueserverserver.as.organization.namekeywordextendedGoogle LLCOrganization name.
11438.11.0trueserverserver.as.organization.name.textkeywordextendedGoogle LLCOrganization name.
11448.11.0trueserverserver.byteslongcore184Bytes sent from the server to the client.
11458.11.0trueserverserver.domainkeywordcorefoo.example.comThe domain name of the server.
11468.11.0trueserverserver.geo.city_namekeywordcoreMontrealCity name.
11478.11.0trueserverserver.geo.continent_codekeywordcoreNAContinent code.
11488.11.0trueserverserver.geo.continent_namekeywordcoreNorth AmericaName of the continent.
11498.11.0trueserverserver.geo.country_iso_codekeywordcoreCACountry ISO code.
11508.11.0trueserverserver.geo.country_namekeywordcoreCanadaCountry name.
11518.11.0trueserverserver.geo.locationgeo_pointcore{ "lon": -73.614830, "lat": 45.505918 }Longitude and latitude.
11528.11.0trueserverserver.geo.namekeywordextendedboston-dcUser-defined description of a location.
11538.11.0trueserverserver.geo.postal_codekeywordcore94040Postal code.
11548.11.0trueserverserver.geo.region_iso_codekeywordcoreCA-QCRegion ISO code.
11558.11.0trueserverserver.geo.region_namekeywordcoreQuebecRegion name.
11568.11.0trueserverserver.geo.timezonekeywordcoreAmerica/Argentina/Buenos_AiresTime zone.
11578.11.0trueserverserver.ipipcoreIP address of the server.
11588.11.0trueserverserver.mackeywordcore00-00-5E-00-53-23MAC address of the server.
11598.11.0trueserverserver.nat.ipipextendedServer NAT ip
11608.11.0trueserverserver.nat.portlongextendedServer NAT port
11618.11.0trueserverserver.packetslongcore12Packets sent from the server to the client.
11628.11.0trueserverserver.portlongcorePort of the server.
11638.11.0trueserverserver.registered_domainkeywordextendedexample.comThe highest registered server domain, stripped of the subdomain.
11648.11.0trueserverserver.subdomainkeywordextendedeastThe subdomain of the domain.
11658.11.0trueserverserver.top_level_domainkeywordextendedco.ukThe effective top level domain (com, org, net, co.uk).
11668.11.0trueserverserver.user.domainkeywordextendedName of the directory the user is a member of.
11678.11.0trueserverserver.user.emailkeywordextendedUser email address.
11688.11.0trueserverserver.user.full_namekeywordextendedAlbert EinsteinUser's full name, if available.
11698.11.0trueserverserver.user.full_name.textkeywordextendedAlbert EinsteinUser's full name, if available.
11708.11.0trueserverserver.user.group.domainkeywordextendedName of the directory the group is a member of.
11718.11.0trueserverserver.user.group.idkeywordextendedUnique identifier for the group on the system/platform.
11728.11.0trueserverserver.user.group.namekeywordextendedName of the group.
11738.11.0trueserverserver.user.hashkeywordextendedUnique user hash to correlate information for a user in anonymized form.
11748.11.0trueserverserver.user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
11758.11.0trueserverserver.user.namekeywordcorea.einsteinShort name or login of the user.
11768.11.0trueserverserver.user.name.textkeywordcorea.einsteinShort name or login of the user.
11778.11.0trueserverserver.user.roleskeywordextendedarray["kibana_admin", "reporting_user"]Array of user roles at the time of the event.
11788.11.0trueserviceservice.addresskeywordextended172.26.0.2:5432Address of this service.
11798.11.0trueserviceservice.environmentkeywordextendedproductionEnvironment of the service.
11808.11.0trueserviceservice.ephemeral_idkeywordextended8a4f500fEphemeral identifier of this service.
11818.11.0trueserviceservice.idkeywordcored37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6Unique identifier of the running service.
11828.11.0trueserviceservice.namekeywordcoreelasticsearch-metricsName of the service.
11838.11.0trueserviceservice.node.namekeywordextendedinstance-0000000016Name of the service node.
11848.11.0trueserviceservice.node.rolekeywordextendedbackground_tasksDeprecated role (singular) of the service node.
11858.11.0trueserviceservice.node.roleskeywordextendedarray["ui", "background_tasks"]Roles of the service node.
11868.11.0trueserviceservice.origin.addresskeywordextended172.26.0.2:5432Address of this service.
11878.11.0trueserviceservice.origin.environmentkeywordextendedproductionEnvironment of the service.
11888.11.0trueserviceservice.origin.ephemeral_idkeywordextended8a4f500fEphemeral identifier of this service.
11898.11.0trueserviceservice.origin.idkeywordcored37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6Unique identifier of the running service.
11908.11.0trueserviceservice.origin.namekeywordcoreelasticsearch-metricsName of the service.
11918.11.0trueserviceservice.origin.node.namekeywordextendedinstance-0000000016Name of the service node.
11928.11.0trueserviceservice.origin.node.rolekeywordextendedbackground_tasksDeprecated role (singular) of the service node.
11938.11.0trueserviceservice.origin.node.roleskeywordextendedarray["ui", "background_tasks"]Roles of the service node.
11948.11.0trueserviceservice.origin.statekeywordcoreCurrent state of the service.
11958.11.0trueserviceservice.origin.typekeywordcoreelasticsearchThe type of the service.
11968.11.0trueserviceservice.origin.versionkeywordcore3.2.4Version of the service.
11978.11.0trueserviceservice.statekeywordcoreCurrent state of the service.
11988.11.0trueserviceservice.target.addresskeywordextended172.26.0.2:5432Address of this service.
11998.11.0trueserviceservice.target.environmentkeywordextendedproductionEnvironment of the service.
12008.11.0trueserviceservice.target.ephemeral_idkeywordextended8a4f500fEphemeral identifier of this service.
12018.11.0trueserviceservice.target.idkeywordcored37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6Unique identifier of the running service.
12028.11.0trueserviceservice.target.namekeywordcoreelasticsearch-metricsName of the service.
12038.11.0trueserviceservice.target.node.namekeywordextendedinstance-0000000016Name of the service node.
12048.11.0trueserviceservice.target.node.rolekeywordextendedbackground_tasksDeprecated role (singular) of the service node.
12058.11.0trueserviceservice.target.node.roleskeywordextendedarray["ui", "background_tasks"]Roles of the service node.
12068.11.0trueserviceservice.target.statekeywordcoreCurrent state of the service.
12078.11.0trueserviceservice.target.typekeywordcoreelasticsearchThe type of the service.
12088.11.0trueserviceservice.target.versionkeywordcore3.2.4Version of the service.
12098.11.0trueserviceservice.typekeywordcoreelasticsearchThe type of the service.
12108.11.0trueserviceservice.versionkeywordcore3.2.4Version of the service.
12118.11.0truesourcesource.addresskeywordextendedSource network address.
12128.11.0truesourcesource.as.numberlongextended15169Unique number allocated to the autonomous system.
12138.11.0truesourcesource.as.organization.namekeywordextendedGoogle LLCOrganization name.
12148.11.0truesourcesource.as.organization.name.textkeywordextendedGoogle LLCOrganization name.
12158.11.0truesourcesource.byteslongcore184Bytes sent from the source to the destination.
12168.11.0truesourcesource.domainkeywordcorefoo.example.comThe domain name of the source.
12178.11.0truesourcesource.geo.city_namekeywordcoreMontrealCity name.
12188.11.0truesourcesource.geo.continent_codekeywordcoreNAContinent code.
12198.11.0truesourcesource.geo.continent_namekeywordcoreNorth AmericaName of the continent.
12208.11.0truesourcesource.geo.country_iso_codekeywordcoreCACountry ISO code.
12218.11.0truesourcesource.geo.country_namekeywordcoreCanadaCountry name.
12228.11.0truesourcesource.geo.locationgeo_pointcore{ "lon": -73.614830, "lat": 45.505918 }Longitude and latitude.
12238.11.0truesourcesource.geo.namekeywordextendedboston-dcUser-defined description of a location.
12248.11.0truesourcesource.geo.postal_codekeywordcore94040Postal code.
12258.11.0truesourcesource.geo.region_iso_codekeywordcoreCA-QCRegion ISO code.
12268.11.0truesourcesource.geo.region_namekeywordcoreQuebecRegion name.
12278.11.0truesourcesource.geo.timezonekeywordcoreAmerica/Argentina/Buenos_AiresTime zone.
12288.11.0truesourcesource.ipipcoreIP address of the source.
12298.11.0truesourcesource.mackeywordcore00-00-5E-00-53-23MAC address of the source.
12308.11.0truesourcesource.nat.ipipextendedSource NAT ip
12318.11.0truesourcesource.nat.portlongextendedSource NAT port
12328.11.0truesourcesource.packetslongcore12Packets sent from the source to the destination.
12338.11.0truesourcesource.portlongcorePort of the source.
12348.11.0truesourcesource.registered_domainkeywordextendedexample.comThe highest registered source domain, stripped of the subdomain.
12358.11.0truesourcesource.subdomainkeywordextendedeastThe subdomain of the domain.
12368.11.0truesourcesource.top_level_domainkeywordextendedco.ukThe effective top level domain (com, org, net, co.uk).
12378.11.0truesourcesource.user.domainkeywordextendedName of the directory the user is a member of.
12388.11.0truesourcesource.user.emailkeywordextendedUser email address.
12398.11.0truesourcesource.user.full_namekeywordextendedAlbert EinsteinUser's full name, if available.
12408.11.0truesourcesource.user.full_name.textkeywordextendedAlbert EinsteinUser's full name, if available.
12418.11.0truesourcesource.user.group.domainkeywordextendedName of the directory the group is a member of.
12428.11.0truesourcesource.user.group.idkeywordextendedUnique identifier for the group on the system/platform.
12438.11.0truesourcesource.user.group.namekeywordextendedName of the group.
12448.11.0truesourcesource.user.hashkeywordextendedUnique user hash to correlate information for a user in anonymized form.
12458.11.0truesourcesource.user.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
12468.11.0truesourcesource.user.namekeywordcorea.einsteinShort name or login of the user.
12478.11.0truesourcesource.user.name.textkeywordcorea.einsteinShort name or login of the user.
12488.11.0truesourcesource.user.roleskeywordextendedarray["kibana_admin", "reporting_user"]Array of user roles at the time of the event.
12498.11.0truespanspan.idkeywordextended3ff9a8981b7ccd5aUnique identifier of the span within the scope of its trace.
12508.11.0truethreatthreat.enrichmentsnestedextendedarrayList of objects containing indicators enriching the event.
12518.11.0truethreatthreat.enrichments.indicatorobjectextendedObject containing indicators enriching the event.
12528.11.0truethreatthreat.enrichments.indicator.as.numberlongextended15169Unique number allocated to the autonomous system.
12538.11.0truethreatthreat.enrichments.indicator.as.organization.namekeywordextendedGoogle LLCOrganization name.
12548.11.0truethreatthreat.enrichments.indicator.as.organization.name.textkeywordextendedGoogle LLCOrganization name.
12558.11.0truethreatthreat.enrichments.indicator.confidencekeywordextendedMediumIndicator confidence rating
12568.11.0truethreatthreat.enrichments.indicator.descriptionkeywordextendedIP x.x.x.x was observed delivering the Angler EK.Indicator description
12578.11.0truethreatthreat.enrichments.indicator.email.addresskeywordextendedphish@example.comIndicator email address
12588.11.0truethreatthreat.enrichments.indicator.file.accesseddateextendedLast time the file was accessed.
12598.11.0truethreatthreat.enrichments.indicator.file.attributeskeywordextendedarray["readonly", "system"]Array of file attributes.
12608.11.0truethreatthreat.enrichments.indicator.file.code_signature.digest_algorithmkeywordextendedsha256Hashing algorithm used to sign the process.
12618.11.0truethreatthreat.enrichments.indicator.file.code_signature.existsbooleancoretrueBoolean to capture if a signature is present.
12628.11.0truethreatthreat.enrichments.indicator.file.code_signature.signing_idkeywordextendedcom.apple.xpc.proxyThe identifier used to sign the process.
12638.11.0truethreatthreat.enrichments.indicator.file.code_signature.statuskeywordextendedERROR_UNTRUSTED_ROOTAdditional information about the certificate status.
12648.11.0truethreatthreat.enrichments.indicator.file.code_signature.subject_namekeywordcoreMicrosoft CorporationSubject name of the code signer
12658.11.0truethreatthreat.enrichments.indicator.file.code_signature.team_idkeywordextendedEQHXZ8M8AVThe team identifier used to sign the process.
12668.11.0truethreatthreat.enrichments.indicator.file.code_signature.timestampdateextended2021-01-01T12:10:30ZWhen the signature was generated and signed.
12678.11.0truethreatthreat.enrichments.indicator.file.code_signature.trustedbooleanextendedtrueStores the trust status of the certificate chain.
12688.11.0truethreatthreat.enrichments.indicator.file.code_signature.validbooleanextendedtrueBoolean to capture if the digital signature is verified against the binary content.
12698.11.0truethreatthreat.enrichments.indicator.file.createddateextendedFile creation time.
12708.11.0truethreatthreat.enrichments.indicator.file.ctimedateextendedLast time the file attributes or metadata changed.
12718.11.0truethreatthreat.enrichments.indicator.file.devicekeywordextendedsdaDevice that is the source of the file.
12728.11.0truethreatthreat.enrichments.indicator.file.directorykeywordextended/home/aliceDirectory where the file is located.
12738.11.0truethreatthreat.enrichments.indicator.file.drive_letterkeywordextendedCDrive letter where the file is located.
12748.11.0truethreatthreat.enrichments.indicator.file.elf.architecturekeywordextendedx86-64Machine architecture of the ELF file.
12758.11.0truethreatthreat.enrichments.indicator.file.elf.byte_orderkeywordextendedLittle EndianByte sequence of ELF file.
12768.11.0truethreatthreat.enrichments.indicator.file.elf.cpu_typekeywordextendedIntelCPU type of the ELF file.
12778.11.0truethreatthreat.enrichments.indicator.file.elf.creation_datedateextendedBuild or compile date.
12788.11.0truethreatthreat.enrichments.indicator.file.elf.exportsflat_objectextendedarrayList of exported element names and types.
12798.11.0truethreatthreat.enrichments.indicator.file.elf.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in an ELF file.
12808.11.0truethreatthreat.enrichments.indicator.file.elf.go_importsflat_objectextendedList of imported Go language element names and types.
12818.11.0truethreatthreat.enrichments.indicator.file.elf.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
12828.11.0truethreatthreat.enrichments.indicator.file.elf.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
12838.11.0truethreatthreat.enrichments.indicator.file.elf.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
12848.11.0truethreatthreat.enrichments.indicator.file.elf.header.abi_versionkeywordextendedVersion of the ELF Application Binary Interface (ABI).
12858.11.0truethreatthreat.enrichments.indicator.file.elf.header.classkeywordextendedHeader class of the ELF file.
12868.11.0truethreatthreat.enrichments.indicator.file.elf.header.datakeywordextendedData table of the ELF header.
12878.11.0truethreatthreat.enrichments.indicator.file.elf.header.entrypointlongextendedHeader entrypoint of the ELF file.
12888.11.0truethreatthreat.enrichments.indicator.file.elf.header.object_versionkeywordextended"0x1" for original ELF files.
12898.11.0truethreatthreat.enrichments.indicator.file.elf.header.os_abikeywordextendedApplication Binary Interface (ABI) of the Linux OS.
12908.11.0truethreatthreat.enrichments.indicator.file.elf.header.typekeywordextendedHeader type of the ELF file.
12918.11.0truethreatthreat.enrichments.indicator.file.elf.header.versionkeywordextendedVersion of the ELF header.
12928.11.0truethreatthreat.enrichments.indicator.file.elf.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in an ELF file.
12938.11.0truethreatthreat.enrichments.indicator.file.elf.importsflat_objectextendedarrayList of imported element names and types.
12948.11.0truethreatthreat.enrichments.indicator.file.elf.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
12958.11.0truethreatthreat.enrichments.indicator.file.elf.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
12968.11.0truethreatthreat.enrichments.indicator.file.elf.sectionsnestedextendedarraySection information of the ELF file.
12978.11.0truethreatthreat.enrichments.indicator.file.elf.sections.chi2longextendedChi-square probability distribution of the section.
12988.11.0truethreatthreat.enrichments.indicator.file.elf.sections.entropylongextendedShannon entropy calculation from the section.
12998.11.0truethreatthreat.enrichments.indicator.file.elf.sections.flagskeywordextendedELF Section List flags.
13008.11.0truethreatthreat.enrichments.indicator.file.elf.sections.namekeywordextendedELF Section List name.
13018.11.0truethreatthreat.enrichments.indicator.file.elf.sections.physical_offsetkeywordextendedELF Section List offset.
13028.11.0truethreatthreat.enrichments.indicator.file.elf.sections.physical_sizelongextendedELF Section List physical size.
13038.11.0truethreatthreat.enrichments.indicator.file.elf.sections.typekeywordextendedELF Section List type.
13048.11.0truethreatthreat.enrichments.indicator.file.elf.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
13058.11.0truethreatthreat.enrichments.indicator.file.elf.sections.virtual_addresslongextendedELF Section List virtual address.
13068.11.0truethreatthreat.enrichments.indicator.file.elf.sections.virtual_sizelongextendedELF Section List virtual size.
13078.11.0truethreatthreat.enrichments.indicator.file.elf.segmentsnestedextendedarrayELF object segment list.
13088.11.0truethreatthreat.enrichments.indicator.file.elf.segments.sectionskeywordextendedELF object segment sections.
13098.11.0truethreatthreat.enrichments.indicator.file.elf.segments.typekeywordextendedELF object segment type.
13108.11.0truethreatthreat.enrichments.indicator.file.elf.shared_librarieskeywordextendedarrayList of shared libraries used by this ELF object.
13118.11.0truethreatthreat.enrichments.indicator.file.elf.telfhashkeywordextendedtelfhash hash for ELF file.
13128.11.0truethreatthreat.enrichments.indicator.file.extensionkeywordextendedpngFile extension, excluding the leading dot.
13138.11.0truethreatthreat.enrichments.indicator.file.fork_namekeywordextendedZone.IdentiferA fork is additional data associated with a filesystem object.
13148.11.0truethreatthreat.enrichments.indicator.file.gidkeywordextended1001Primary group ID (GID) of the file.
13158.11.0truethreatthreat.enrichments.indicator.file.groupkeywordextendedalicePrimary group name of the file.
13168.11.0truethreatthreat.enrichments.indicator.file.hash.md5keywordextendedMD5 hash.
13178.11.0truethreatthreat.enrichments.indicator.file.hash.sha1keywordextendedSHA1 hash.
13188.11.0truethreatthreat.enrichments.indicator.file.hash.sha256keywordextendedSHA256 hash.
13198.11.0truethreatthreat.enrichments.indicator.file.hash.sha384keywordextendedSHA384 hash.
13208.11.0truethreatthreat.enrichments.indicator.file.hash.sha512keywordextendedSHA512 hash.
13218.11.0truethreatthreat.enrichments.indicator.file.hash.ssdeepkeywordextendedSSDEEP hash.
13228.11.0truethreatthreat.enrichments.indicator.file.hash.tlshkeywordextendedTLSH hash.
13238.11.0truethreatthreat.enrichments.indicator.file.inodekeywordextended256383Inode representing the file in the filesystem.
13248.11.0truethreatthreat.enrichments.indicator.file.mime_typekeywordextendedMedia type of file, document, or arrangement of bytes.
13258.11.0truethreatthreat.enrichments.indicator.file.modekeywordextended0640Mode of the file in octal representation.
13268.11.0truethreatthreat.enrichments.indicator.file.mtimedateextendedLast time the file content was modified.
13278.11.0truethreatthreat.enrichments.indicator.file.namekeywordextendedexample.pngName of the file including the extension, without the directory.
13288.11.0truethreatthreat.enrichments.indicator.file.ownerkeywordextendedaliceFile owner's username.
13298.11.0truethreatthreat.enrichments.indicator.file.pathkeywordextended/home/alice/example.pngFull path to the file, including the file name.
13308.11.0truethreatthreat.enrichments.indicator.file.path.textkeywordextended/home/alice/example.pngFull path to the file, including the file name.
13318.11.0truethreatthreat.enrichments.indicator.file.pe.architecturekeywordextendedx64CPU architecture target for the file.
13328.11.0truethreatthreat.enrichments.indicator.file.pe.companykeywordextendedMicrosoft CorporationInternal company name of the file, provided at compile-time.
13338.11.0truethreatthreat.enrichments.indicator.file.pe.descriptionkeywordextendedPaintInternal description of the file, provided at compile-time.
13348.11.0truethreatthreat.enrichments.indicator.file.pe.file_versionkeywordextended6.3.9600.17415Process name.
13358.11.0truethreatthreat.enrichments.indicator.file.pe.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in a PE file.
13368.11.0truethreatthreat.enrichments.indicator.file.pe.go_importsflat_objectextendedList of imported Go language element names and types.
13378.11.0truethreatthreat.enrichments.indicator.file.pe.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
13388.11.0truethreatthreat.enrichments.indicator.file.pe.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
13398.11.0truethreatthreat.enrichments.indicator.file.pe.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
13408.11.0truethreatthreat.enrichments.indicator.file.pe.imphashkeywordextended0c6803c4e922103c4dca5963aad36ddfA hash of the imports in a PE file.
13418.11.0truethreatthreat.enrichments.indicator.file.pe.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in a PE file.
13428.11.0truethreatthreat.enrichments.indicator.file.pe.importsflat_objectextendedarrayList of imported element names and types.
13438.11.0truethreatthreat.enrichments.indicator.file.pe.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
13448.11.0truethreatthreat.enrichments.indicator.file.pe.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
13458.11.0truethreatthreat.enrichments.indicator.file.pe.original_file_namekeywordextendedMSPAINT.EXEInternal name of the file, provided at compile-time.
13468.11.0truethreatthreat.enrichments.indicator.file.pe.pehashkeywordextended73ff189b63cd6be375a7ff25179a38d347651975A hash of the PE header and data from one or more PE sections.
13478.11.0truethreatthreat.enrichments.indicator.file.pe.productkeywordextendedMicrosoft® Windows® Operating SystemInternal product name of the file, provided at compile-time.
13488.11.0truethreatthreat.enrichments.indicator.file.pe.sectionsnestedextendedarraySection information of the PE file.
13498.11.0truethreatthreat.enrichments.indicator.file.pe.sections.entropylongextendedShannon entropy calculation from the section.
13508.11.0truethreatthreat.enrichments.indicator.file.pe.sections.namekeywordextendedPE Section List name.
13518.11.0truethreatthreat.enrichments.indicator.file.pe.sections.physical_sizelongextendedPE Section List physical size.
13528.11.0truethreatthreat.enrichments.indicator.file.pe.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
13538.11.0truethreatthreat.enrichments.indicator.file.pe.sections.virtual_sizelongextendedPE Section List virtual size. This is always the same as `physical_size`.
13548.11.0truethreatthreat.enrichments.indicator.file.sizelongextended16384File size in bytes.
13558.11.0truethreatthreat.enrichments.indicator.file.target_pathkeywordextendedTarget path for symlinks.
13568.11.0truethreatthreat.enrichments.indicator.file.target_path.textkeywordextendedTarget path for symlinks.
13578.11.0truethreatthreat.enrichments.indicator.file.typekeywordextendedfileFile type (file, dir, or symlink).
13588.11.0truethreatthreat.enrichments.indicator.file.uidkeywordextended1001The user ID (UID) or security identifier (SID) of the file owner.
13598.11.0truethreatthreat.enrichments.indicator.file.x509.alternative_nameskeywordextendedarray*.elastic.coList of subject alternative names (SAN).
13608.11.0truethreatthreat.enrichments.indicator.file.x509.issuer.common_namekeywordextendedarrayExample SHA2 High Assurance Server CAList of common name (CN) of issuing certificate authority.
13618.11.0truethreatthreat.enrichments.indicator.file.x509.issuer.countrykeywordextendedarrayUSList of country \(C) codes
13628.11.0truethreatthreat.enrichments.indicator.file.x509.issuer.distinguished_namekeywordextendedC=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CADistinguished name (DN) of issuing certificate authority.
13638.11.0truethreatthreat.enrichments.indicator.file.x509.issuer.localitykeywordextendedarrayMountain ViewList of locality names (L)
13648.11.0truethreatthreat.enrichments.indicator.file.x509.issuer.organizationkeywordextendedarrayExample IncList of organizations (O) of issuing certificate authority.
13658.11.0truethreatthreat.enrichments.indicator.file.x509.issuer.organizational_unitkeywordextendedarraywww.example.comList of organizational units (OU) of issuing certificate authority.
13668.11.0truethreatthreat.enrichments.indicator.file.x509.issuer.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
13678.11.0truethreatthreat.enrichments.indicator.file.x509.not_afterdateextended2020-07-16T03:15:39ZTime at which the certificate is no longer considered valid.
13688.11.0truethreatthreat.enrichments.indicator.file.x509.not_beforedateextended2019-08-16T01:40:25ZTime at which the certificate is first considered valid.
13698.11.0truethreatthreat.enrichments.indicator.file.x509.public_key_algorithmkeywordextendedRSAAlgorithm used to generate the public key.
13708.11.0truethreatthreat.enrichments.indicator.file.x509.public_key_curvekeywordextendednistp521The curve used by the elliptic curve public key algorithm. This is algorithm specific.
13718.11.0falsethreatthreat.enrichments.indicator.file.x509.public_key_exponentlongextended65537Exponent used to derive the public key. This is algorithm specific.
13728.11.0truethreatthreat.enrichments.indicator.file.x509.public_key_sizelongextended2048The size of the public key space in bits.
13738.11.0truethreatthreat.enrichments.indicator.file.x509.serial_numberkeywordextended55FBB9C7DEBF09809D12CCAAUnique serial number issued by the certificate authority.
13748.11.0truethreatthreat.enrichments.indicator.file.x509.signature_algorithmkeywordextendedSHA256-RSAIdentifier for certificate signature algorithm.
13758.11.0truethreatthreat.enrichments.indicator.file.x509.subject.common_namekeywordextendedarrayshared.global.example.netList of common names (CN) of subject.
13768.11.0truethreatthreat.enrichments.indicator.file.x509.subject.countrykeywordextendedarrayUSList of country \(C) code
13778.11.0truethreatthreat.enrichments.indicator.file.x509.subject.distinguished_namekeywordextendedC=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.netDistinguished name (DN) of the certificate subject entity.
13788.11.0truethreatthreat.enrichments.indicator.file.x509.subject.localitykeywordextendedarraySan FranciscoList of locality names (L)
13798.11.0truethreatthreat.enrichments.indicator.file.x509.subject.organizationkeywordextendedarrayExample, Inc.List of organizations (O) of subject.
13808.11.0truethreatthreat.enrichments.indicator.file.x509.subject.organizational_unitkeywordextendedarrayList of organizational units (OU) of subject.
13818.11.0truethreatthreat.enrichments.indicator.file.x509.subject.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
13828.11.0truethreatthreat.enrichments.indicator.file.x509.version_numberkeywordextended3Version of x509 format.
13838.11.0truethreatthreat.enrichments.indicator.first_seendateextended2020-11-05T17:25:47.000ZDate/time indicator was first reported.
13848.11.0truethreatthreat.enrichments.indicator.geo.city_namekeywordcoreMontrealCity name.
13858.11.0truethreatthreat.enrichments.indicator.geo.continent_codekeywordcoreNAContinent code.
13868.11.0truethreatthreat.enrichments.indicator.geo.continent_namekeywordcoreNorth AmericaName of the continent.
13878.11.0truethreatthreat.enrichments.indicator.geo.country_iso_codekeywordcoreCACountry ISO code.
13888.11.0truethreatthreat.enrichments.indicator.geo.country_namekeywordcoreCanadaCountry name.
13898.11.0truethreatthreat.enrichments.indicator.geo.locationgeo_pointcore{ "lon": -73.614830, "lat": 45.505918 }Longitude and latitude.
13908.11.0truethreatthreat.enrichments.indicator.geo.namekeywordextendedboston-dcUser-defined description of a location.
13918.11.0truethreatthreat.enrichments.indicator.geo.postal_codekeywordcore94040Postal code.
13928.11.0truethreatthreat.enrichments.indicator.geo.region_iso_codekeywordcoreCA-QCRegion ISO code.
13938.11.0truethreatthreat.enrichments.indicator.geo.region_namekeywordcoreQuebecRegion name.
13948.11.0truethreatthreat.enrichments.indicator.geo.timezonekeywordcoreAmerica/Argentina/Buenos_AiresTime zone.
13958.11.0truethreatthreat.enrichments.indicator.ipipextended1.2.3.4Indicator IP address
13968.11.0truethreatthreat.enrichments.indicator.last_seendateextended2020-11-05T17:25:47.000ZDate/time indicator was last reported.
13978.11.0truethreatthreat.enrichments.indicator.marking.tlpkeywordextendedCLEARIndicator TLP marking
13988.11.0truethreatthreat.enrichments.indicator.marking.tlp_versionkeywordextended2.0Indicator TLP version
13998.11.0truethreatthreat.enrichments.indicator.modified_atdateextended2020-11-05T17:25:47.000ZDate/time indicator was last updated.
14008.11.0truethreatthreat.enrichments.indicator.namekeywordextended5.2.75.227Indicator display name
14018.11.0truethreatthreat.enrichments.indicator.portlongextended443Indicator port
14028.11.0truethreatthreat.enrichments.indicator.providerkeywordextendedlrz_urlhausIndicator provider
14038.11.0truethreatthreat.enrichments.indicator.referencekeywordextendedhttps://system.example.com/indicator/0001234Indicator reference URL
14048.11.0truethreatthreat.enrichments.indicator.registry.data.byteskeywordextendedZQBuAC0AVQBTAAAAZQBuAAAAAAA=Original bytes written with base64 encoding.
14058.11.0truethreatthreat.enrichments.indicator.registry.data.stringskeywordcorearray["C:\rta\red_ttp\bin\myapp.exe"]List of strings representing what was written to the registry.
14068.11.0truethreatthreat.enrichments.indicator.registry.data.typekeywordcoreREG_SZStandard registry type for encoding contents
14078.11.0truethreatthreat.enrichments.indicator.registry.hivekeywordcoreHKLMAbbreviated name for the hive.
14088.11.0truethreatthreat.enrichments.indicator.registry.keykeywordcoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exeHive-relative path of keys.
14098.11.0truethreatthreat.enrichments.indicator.registry.pathkeywordcoreHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\DebuggerFull path, including hive, key and value
14108.11.0truethreatthreat.enrichments.indicator.registry.valuekeywordcoreDebuggerName of the value written.
14118.11.0truethreatthreat.enrichments.indicator.scanner_statslongextended4Scanner statistics
14128.11.0truethreatthreat.enrichments.indicator.sightingslongextended20Number of times indicator observed
14138.11.0truethreatthreat.enrichments.indicator.typekeywordextendedipv4-addrType of indicator
14148.11.0truethreatthreat.enrichments.indicator.url.domainkeywordextendedwww.elastic.coDomain of the url.
14158.11.0truethreatthreat.enrichments.indicator.url.extensionkeywordextendedpngFile extension from the request url, excluding the leading dot.
14168.11.0truethreatthreat.enrichments.indicator.url.fragmentkeywordextendedPortion of the url after the `#`.
14178.11.0truethreatthreat.enrichments.indicator.url.fullkeywordextendedhttps://www.elastic.co:443/search?q=elasticsearch#topFull unparsed URL.
14188.11.0truethreatthreat.enrichments.indicator.url.full.textkeywordextendedhttps://www.elastic.co:443/search?q=elasticsearch#topFull unparsed URL.
14198.11.0truethreatthreat.enrichments.indicator.url.originalkeywordextendedhttps://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearchUnmodified original url as seen in the event source.
14208.11.0truethreatthreat.enrichments.indicator.url.original.textkeywordextendedhttps://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearchUnmodified original url as seen in the event source.
14218.11.0truethreatthreat.enrichments.indicator.url.passwordkeywordextendedPassword of the request.
14228.11.0truethreatthreat.enrichments.indicator.url.pathkeywordextendedPath of the request, such as "/search".
14238.11.0truethreatthreat.enrichments.indicator.url.portlongextended443Port of the request, such as 443.
14248.11.0truethreatthreat.enrichments.indicator.url.querykeywordextendedQuery string of the request.
14258.11.0truethreatthreat.enrichments.indicator.url.registered_domainkeywordextendedexample.comThe highest registered url domain, stripped of the subdomain.
14268.11.0truethreatthreat.enrichments.indicator.url.schemekeywordextendedhttpsScheme of the url.
14278.11.0truethreatthreat.enrichments.indicator.url.subdomainkeywordextendedeastThe subdomain of the domain.
14288.11.0truethreatthreat.enrichments.indicator.url.top_level_domainkeywordextendedco.ukThe effective top level domain (com, org, net, co.uk).
14298.11.0truethreatthreat.enrichments.indicator.url.usernamekeywordextendedUsername of the request.
14308.11.0truethreatthreat.enrichments.indicator.x509.alternative_nameskeywordextendedarray*.elastic.coList of subject alternative names (SAN).
14318.11.0truethreatthreat.enrichments.indicator.x509.issuer.common_namekeywordextendedarrayExample SHA2 High Assurance Server CAList of common name (CN) of issuing certificate authority.
14328.11.0truethreatthreat.enrichments.indicator.x509.issuer.countrykeywordextendedarrayUSList of country \(C) codes
14338.11.0truethreatthreat.enrichments.indicator.x509.issuer.distinguished_namekeywordextendedC=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CADistinguished name (DN) of issuing certificate authority.
14348.11.0truethreatthreat.enrichments.indicator.x509.issuer.localitykeywordextendedarrayMountain ViewList of locality names (L)
14358.11.0truethreatthreat.enrichments.indicator.x509.issuer.organizationkeywordextendedarrayExample IncList of organizations (O) of issuing certificate authority.
14368.11.0truethreatthreat.enrichments.indicator.x509.issuer.organizational_unitkeywordextendedarraywww.example.comList of organizational units (OU) of issuing certificate authority.
14378.11.0truethreatthreat.enrichments.indicator.x509.issuer.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
14388.11.0truethreatthreat.enrichments.indicator.x509.not_afterdateextended2020-07-16T03:15:39ZTime at which the certificate is no longer considered valid.
14398.11.0truethreatthreat.enrichments.indicator.x509.not_beforedateextended2019-08-16T01:40:25ZTime at which the certificate is first considered valid.
14408.11.0truethreatthreat.enrichments.indicator.x509.public_key_algorithmkeywordextendedRSAAlgorithm used to generate the public key.
14418.11.0truethreatthreat.enrichments.indicator.x509.public_key_curvekeywordextendednistp521The curve used by the elliptic curve public key algorithm. This is algorithm specific.
14428.11.0falsethreatthreat.enrichments.indicator.x509.public_key_exponentlongextended65537Exponent used to derive the public key. This is algorithm specific.
14438.11.0truethreatthreat.enrichments.indicator.x509.public_key_sizelongextended2048The size of the public key space in bits.
14448.11.0truethreatthreat.enrichments.indicator.x509.serial_numberkeywordextended55FBB9C7DEBF09809D12CCAAUnique serial number issued by the certificate authority.
14458.11.0truethreatthreat.enrichments.indicator.x509.signature_algorithmkeywordextendedSHA256-RSAIdentifier for certificate signature algorithm.
14468.11.0truethreatthreat.enrichments.indicator.x509.subject.common_namekeywordextendedarrayshared.global.example.netList of common names (CN) of subject.
14478.11.0truethreatthreat.enrichments.indicator.x509.subject.countrykeywordextendedarrayUSList of country \(C) code
14488.11.0truethreatthreat.enrichments.indicator.x509.subject.distinguished_namekeywordextendedC=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.netDistinguished name (DN) of the certificate subject entity.
14498.11.0truethreatthreat.enrichments.indicator.x509.subject.localitykeywordextendedarraySan FranciscoList of locality names (L)
14508.11.0truethreatthreat.enrichments.indicator.x509.subject.organizationkeywordextendedarrayExample, Inc.List of organizations (O) of subject.
14518.11.0truethreatthreat.enrichments.indicator.x509.subject.organizational_unitkeywordextendedarrayList of organizational units (OU) of subject.
14528.11.0truethreatthreat.enrichments.indicator.x509.subject.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
14538.11.0truethreatthreat.enrichments.indicator.x509.version_numberkeywordextended3Version of x509 format.
14548.11.0truethreatthreat.enrichments.matched.atomickeywordextendedbad-domain.comMatched indicator value
14558.11.0truethreatthreat.enrichments.matched.fieldkeywordextendedfile.hash.sha256Matched indicator field
14568.11.0truethreatthreat.enrichments.matched.idkeywordextendedff93aee5-86a1-4a61-b0e6-0cdc313d01b5Matched indicator identifier
14578.11.0truethreatthreat.enrichments.matched.indexkeywordextendedfilebeat-8.0.0-2021.05.23-000011Matched indicator index
14588.11.0truethreatthreat.enrichments.matched.occurreddateextended2021-10-05T17:00:58.326ZDate of match
14598.11.0truethreatthreat.enrichments.matched.typekeywordextendedindicator_match_ruleType of indicator match
14608.11.0truethreatthreat.feed.dashboard_idkeywordextended5ba16340-72e6-11eb-a3e3-b3cc7c78a70fFeed dashboard ID.
14618.11.0truethreatthreat.feed.descriptionkeywordextendedThreat feed from the AlienVault Open Threat eXchange network.Description of the threat feed.
14628.11.0truethreatthreat.feed.namekeywordextendedAlienVault OTXName of the threat feed.
14638.11.0truethreatthreat.feed.referencekeywordextendedhttps://otx.alienvault.comReference for the threat feed.
14648.11.0truethreatthreat.frameworkkeywordextendedMITRE ATT&CKThreat classification framework.
14658.11.0truethreatthreat.group.aliaskeywordextendedarray[ "Magecart Group 6" ]Alias of the group.
14668.11.0truethreatthreat.group.idkeywordextendedG0037ID of the group.
14678.11.0truethreatthreat.group.namekeywordextendedFIN6Name of the group.
14688.11.0truethreatthreat.group.referencekeywordextendedhttps://attack.mitre.org/groups/G0037/Reference URL of the group.
14698.11.0truethreatthreat.indicator.as.numberlongextended15169Unique number allocated to the autonomous system.
14708.11.0truethreatthreat.indicator.as.organization.namekeywordextendedGoogle LLCOrganization name.
14718.11.0truethreatthreat.indicator.as.organization.name.textkeywordextendedGoogle LLCOrganization name.
14728.11.0truethreatthreat.indicator.confidencekeywordextendedMediumIndicator confidence rating
14738.11.0truethreatthreat.indicator.descriptionkeywordextendedIP x.x.x.x was observed delivering the Angler EK.Indicator description
14748.11.0truethreatthreat.indicator.email.addresskeywordextendedphish@example.comIndicator email address
14758.11.0truethreatthreat.indicator.file.accesseddateextendedLast time the file was accessed.
14768.11.0truethreatthreat.indicator.file.attributeskeywordextendedarray["readonly", "system"]Array of file attributes.
14778.11.0truethreatthreat.indicator.file.code_signature.digest_algorithmkeywordextendedsha256Hashing algorithm used to sign the process.
14788.11.0truethreatthreat.indicator.file.code_signature.existsbooleancoretrueBoolean to capture if a signature is present.
14798.11.0truethreatthreat.indicator.file.code_signature.signing_idkeywordextendedcom.apple.xpc.proxyThe identifier used to sign the process.
14808.11.0truethreatthreat.indicator.file.code_signature.statuskeywordextendedERROR_UNTRUSTED_ROOTAdditional information about the certificate status.
14818.11.0truethreatthreat.indicator.file.code_signature.subject_namekeywordcoreMicrosoft CorporationSubject name of the code signer
14828.11.0truethreatthreat.indicator.file.code_signature.team_idkeywordextendedEQHXZ8M8AVThe team identifier used to sign the process.
14838.11.0truethreatthreat.indicator.file.code_signature.timestampdateextended2021-01-01T12:10:30ZWhen the signature was generated and signed.
14848.11.0truethreatthreat.indicator.file.code_signature.trustedbooleanextendedtrueStores the trust status of the certificate chain.
14858.11.0truethreatthreat.indicator.file.code_signature.validbooleanextendedtrueBoolean to capture if the digital signature is verified against the binary content.
14868.11.0truethreatthreat.indicator.file.createddateextendedFile creation time.
14878.11.0truethreatthreat.indicator.file.ctimedateextendedLast time the file attributes or metadata changed.
14888.11.0truethreatthreat.indicator.file.devicekeywordextendedsdaDevice that is the source of the file.
14898.11.0truethreatthreat.indicator.file.directorykeywordextended/home/aliceDirectory where the file is located.
14908.11.0truethreatthreat.indicator.file.drive_letterkeywordextendedCDrive letter where the file is located.
14918.11.0truethreatthreat.indicator.file.elf.architecturekeywordextendedx86-64Machine architecture of the ELF file.
14928.11.0truethreatthreat.indicator.file.elf.byte_orderkeywordextendedLittle EndianByte sequence of ELF file.
14938.11.0truethreatthreat.indicator.file.elf.cpu_typekeywordextendedIntelCPU type of the ELF file.
14948.11.0truethreatthreat.indicator.file.elf.creation_datedateextendedBuild or compile date.
14958.11.0truethreatthreat.indicator.file.elf.exportsflat_objectextendedarrayList of exported element names and types.
14968.11.0truethreatthreat.indicator.file.elf.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in an ELF file.
14978.11.0truethreatthreat.indicator.file.elf.go_importsflat_objectextendedList of imported Go language element names and types.
14988.11.0truethreatthreat.indicator.file.elf.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
14998.11.0truethreatthreat.indicator.file.elf.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
15008.11.0truethreatthreat.indicator.file.elf.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
15018.11.0truethreatthreat.indicator.file.elf.header.abi_versionkeywordextendedVersion of the ELF Application Binary Interface (ABI).
15028.11.0truethreatthreat.indicator.file.elf.header.classkeywordextendedHeader class of the ELF file.
15038.11.0truethreatthreat.indicator.file.elf.header.datakeywordextendedData table of the ELF header.
15048.11.0truethreatthreat.indicator.file.elf.header.entrypointlongextendedHeader entrypoint of the ELF file.
15058.11.0truethreatthreat.indicator.file.elf.header.object_versionkeywordextended"0x1" for original ELF files.
15068.11.0truethreatthreat.indicator.file.elf.header.os_abikeywordextendedApplication Binary Interface (ABI) of the Linux OS.
15078.11.0truethreatthreat.indicator.file.elf.header.typekeywordextendedHeader type of the ELF file.
15088.11.0truethreatthreat.indicator.file.elf.header.versionkeywordextendedVersion of the ELF header.
15098.11.0truethreatthreat.indicator.file.elf.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in an ELF file.
15108.11.0truethreatthreat.indicator.file.elf.importsflat_objectextendedarrayList of imported element names and types.
15118.11.0truethreatthreat.indicator.file.elf.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
15128.11.0truethreatthreat.indicator.file.elf.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
15138.11.0truethreatthreat.indicator.file.elf.sectionsnestedextendedarraySection information of the ELF file.
15148.11.0truethreatthreat.indicator.file.elf.sections.chi2longextendedChi-square probability distribution of the section.
15158.11.0truethreatthreat.indicator.file.elf.sections.entropylongextendedShannon entropy calculation from the section.
15168.11.0truethreatthreat.indicator.file.elf.sections.flagskeywordextendedELF Section List flags.
15178.11.0truethreatthreat.indicator.file.elf.sections.namekeywordextendedELF Section List name.
15188.11.0truethreatthreat.indicator.file.elf.sections.physical_offsetkeywordextendedELF Section List offset.
15198.11.0truethreatthreat.indicator.file.elf.sections.physical_sizelongextendedELF Section List physical size.
15208.11.0truethreatthreat.indicator.file.elf.sections.typekeywordextendedELF Section List type.
15218.11.0truethreatthreat.indicator.file.elf.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
15228.11.0truethreatthreat.indicator.file.elf.sections.virtual_addresslongextendedELF Section List virtual address.
15238.11.0truethreatthreat.indicator.file.elf.sections.virtual_sizelongextendedELF Section List virtual size.
15248.11.0truethreatthreat.indicator.file.elf.segmentsnestedextendedarrayELF object segment list.
15258.11.0truethreatthreat.indicator.file.elf.segments.sectionskeywordextendedELF object segment sections.
15268.11.0truethreatthreat.indicator.file.elf.segments.typekeywordextendedELF object segment type.
15278.11.0truethreatthreat.indicator.file.elf.shared_librarieskeywordextendedarrayList of shared libraries used by this ELF object.
15288.11.0truethreatthreat.indicator.file.elf.telfhashkeywordextendedtelfhash hash for ELF file.
15298.11.0truethreatthreat.indicator.file.extensionkeywordextendedpngFile extension, excluding the leading dot.
15308.11.0truethreatthreat.indicator.file.fork_namekeywordextendedZone.IdentiferA fork is additional data associated with a filesystem object.
15318.11.0truethreatthreat.indicator.file.gidkeywordextended1001Primary group ID (GID) of the file.
15328.11.0truethreatthreat.indicator.file.groupkeywordextendedalicePrimary group name of the file.
15338.11.0truethreatthreat.indicator.file.hash.md5keywordextendedMD5 hash.
15348.11.0truethreatthreat.indicator.file.hash.sha1keywordextendedSHA1 hash.
15358.11.0truethreatthreat.indicator.file.hash.sha256keywordextendedSHA256 hash.
15368.11.0truethreatthreat.indicator.file.hash.sha384keywordextendedSHA384 hash.
15378.11.0truethreatthreat.indicator.file.hash.sha512keywordextendedSHA512 hash.
15388.11.0truethreatthreat.indicator.file.hash.ssdeepkeywordextendedSSDEEP hash.
15398.11.0truethreatthreat.indicator.file.hash.tlshkeywordextendedTLSH hash.
15408.11.0truethreatthreat.indicator.file.inodekeywordextended256383Inode representing the file in the filesystem.
15418.11.0truethreatthreat.indicator.file.mime_typekeywordextendedMedia type of file, document, or arrangement of bytes.
15428.11.0truethreatthreat.indicator.file.modekeywordextended0640Mode of the file in octal representation.
15438.11.0truethreatthreat.indicator.file.mtimedateextendedLast time the file content was modified.
15448.11.0truethreatthreat.indicator.file.namekeywordextendedexample.pngName of the file including the extension, without the directory.
15458.11.0truethreatthreat.indicator.file.ownerkeywordextendedaliceFile owner's username.
15468.11.0truethreatthreat.indicator.file.pathkeywordextended/home/alice/example.pngFull path to the file, including the file name.
15478.11.0truethreatthreat.indicator.file.path.textkeywordextended/home/alice/example.pngFull path to the file, including the file name.
15488.11.0truethreatthreat.indicator.file.pe.architecturekeywordextendedx64CPU architecture target for the file.
15498.11.0truethreatthreat.indicator.file.pe.companykeywordextendedMicrosoft CorporationInternal company name of the file, provided at compile-time.
15508.11.0truethreatthreat.indicator.file.pe.descriptionkeywordextendedPaintInternal description of the file, provided at compile-time.
15518.11.0truethreatthreat.indicator.file.pe.file_versionkeywordextended6.3.9600.17415Process name.
15528.11.0truethreatthreat.indicator.file.pe.go_import_hashkeywordextended10bddcb4cee42080f76c88d9ff964491A hash of the Go language imports in a PE file.
15538.11.0truethreatthreat.indicator.file.pe.go_importsflat_objectextendedList of imported Go language element names and types.
15548.11.0truethreatthreat.indicator.file.pe.go_imports_names_entropylongextendedShannon entropy calculation from the list of Go imports.
15558.11.0truethreatthreat.indicator.file.pe.go_imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of Go imports.
15568.11.0truethreatthreat.indicator.file.pe.go_strippedbooleanextendedWhether the file is a stripped or obfuscated Go executable.
15578.11.0truethreatthreat.indicator.file.pe.imphashkeywordextended0c6803c4e922103c4dca5963aad36ddfA hash of the imports in a PE file.
15588.11.0truethreatthreat.indicator.file.pe.import_hashkeywordextendedd41d8cd98f00b204e9800998ecf8427eA hash of the imports in a PE file.
15598.11.0truethreatthreat.indicator.file.pe.importsflat_objectextendedarrayList of imported element names and types.
15608.11.0truethreatthreat.indicator.file.pe.imports_names_entropylongextendedShannon entropy calculation from the list of imported element names and types.
15618.11.0truethreatthreat.indicator.file.pe.imports_names_var_entropylongextendedVariance for Shannon entropy calculation from the list of imported element names and types.
15628.11.0truethreatthreat.indicator.file.pe.original_file_namekeywordextendedMSPAINT.EXEInternal name of the file, provided at compile-time.
15638.11.0truethreatthreat.indicator.file.pe.pehashkeywordextended73ff189b63cd6be375a7ff25179a38d347651975A hash of the PE header and data from one or more PE sections.
15648.11.0truethreatthreat.indicator.file.pe.productkeywordextendedMicrosoft® Windows® Operating SystemInternal product name of the file, provided at compile-time.
15658.11.0truethreatthreat.indicator.file.pe.sectionsnestedextendedarraySection information of the PE file.
15668.11.0truethreatthreat.indicator.file.pe.sections.entropylongextendedShannon entropy calculation from the section.
15678.11.0truethreatthreat.indicator.file.pe.sections.namekeywordextendedPE Section List name.
15688.11.0truethreatthreat.indicator.file.pe.sections.physical_sizelongextendedPE Section List physical size.
15698.11.0truethreatthreat.indicator.file.pe.sections.var_entropylongextendedVariance for Shannon entropy calculation from the section.
15708.11.0truethreatthreat.indicator.file.pe.sections.virtual_sizelongextendedPE Section List virtual size. This is always the same as `physical_size`.
15718.11.0truethreatthreat.indicator.file.sizelongextended16384File size in bytes.
15728.11.0truethreatthreat.indicator.file.target_pathkeywordextendedTarget path for symlinks.
15738.11.0truethreatthreat.indicator.file.target_path.textkeywordextendedTarget path for symlinks.
15748.11.0truethreatthreat.indicator.file.typekeywordextendedfileFile type (file, dir, or symlink).
15758.11.0truethreatthreat.indicator.file.uidkeywordextended1001The user ID (UID) or security identifier (SID) of the file owner.
15768.11.0truethreatthreat.indicator.file.x509.alternative_nameskeywordextendedarray*.elastic.coList of subject alternative names (SAN).
15778.11.0truethreatthreat.indicator.file.x509.issuer.common_namekeywordextendedarrayExample SHA2 High Assurance Server CAList of common name (CN) of issuing certificate authority.
15788.11.0truethreatthreat.indicator.file.x509.issuer.countrykeywordextendedarrayUSList of country \(C) codes
15798.11.0truethreatthreat.indicator.file.x509.issuer.distinguished_namekeywordextendedC=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CADistinguished name (DN) of issuing certificate authority.
15808.11.0truethreatthreat.indicator.file.x509.issuer.localitykeywordextendedarrayMountain ViewList of locality names (L)
15818.11.0truethreatthreat.indicator.file.x509.issuer.organizationkeywordextendedarrayExample IncList of organizations (O) of issuing certificate authority.
15828.11.0truethreatthreat.indicator.file.x509.issuer.organizational_unitkeywordextendedarraywww.example.comList of organizational units (OU) of issuing certificate authority.
15838.11.0truethreatthreat.indicator.file.x509.issuer.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
15848.11.0truethreatthreat.indicator.file.x509.not_afterdateextended2020-07-16T03:15:39ZTime at which the certificate is no longer considered valid.
15858.11.0truethreatthreat.indicator.file.x509.not_beforedateextended2019-08-16T01:40:25ZTime at which the certificate is first considered valid.
15868.11.0truethreatthreat.indicator.file.x509.public_key_algorithmkeywordextendedRSAAlgorithm used to generate the public key.
15878.11.0truethreatthreat.indicator.file.x509.public_key_curvekeywordextendednistp521The curve used by the elliptic curve public key algorithm. This is algorithm specific.
15888.11.0falsethreatthreat.indicator.file.x509.public_key_exponentlongextended65537Exponent used to derive the public key. This is algorithm specific.
15898.11.0truethreatthreat.indicator.file.x509.public_key_sizelongextended2048The size of the public key space in bits.
15908.11.0truethreatthreat.indicator.file.x509.serial_numberkeywordextended55FBB9C7DEBF09809D12CCAAUnique serial number issued by the certificate authority.
15918.11.0truethreatthreat.indicator.file.x509.signature_algorithmkeywordextendedSHA256-RSAIdentifier for certificate signature algorithm.
15928.11.0truethreatthreat.indicator.file.x509.subject.common_namekeywordextendedarrayshared.global.example.netList of common names (CN) of subject.
15938.11.0truethreatthreat.indicator.file.x509.subject.countrykeywordextendedarrayUSList of country \(C) code
15948.11.0truethreatthreat.indicator.file.x509.subject.distinguished_namekeywordextendedC=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.netDistinguished name (DN) of the certificate subject entity.
15958.11.0truethreatthreat.indicator.file.x509.subject.localitykeywordextendedarraySan FranciscoList of locality names (L)
15968.11.0truethreatthreat.indicator.file.x509.subject.organizationkeywordextendedarrayExample, Inc.List of organizations (O) of subject.
15978.11.0truethreatthreat.indicator.file.x509.subject.organizational_unitkeywordextendedarrayList of organizational units (OU) of subject.
15988.11.0truethreatthreat.indicator.file.x509.subject.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
15998.11.0truethreatthreat.indicator.file.x509.version_numberkeywordextended3Version of x509 format.
16008.11.0truethreatthreat.indicator.first_seendateextended2020-11-05T17:25:47.000ZDate/time indicator was first reported.
16018.11.0truethreatthreat.indicator.geo.city_namekeywordcoreMontrealCity name.
16028.11.0truethreatthreat.indicator.geo.continent_codekeywordcoreNAContinent code.
16038.11.0truethreatthreat.indicator.geo.continent_namekeywordcoreNorth AmericaName of the continent.
16048.11.0truethreatthreat.indicator.geo.country_iso_codekeywordcoreCACountry ISO code.
16058.11.0truethreatthreat.indicator.geo.country_namekeywordcoreCanadaCountry name.
16068.11.0truethreatthreat.indicator.geo.locationgeo_pointcore{ "lon": -73.614830, "lat": 45.505918 }Longitude and latitude.
16078.11.0truethreatthreat.indicator.geo.namekeywordextendedboston-dcUser-defined description of a location.
16088.11.0truethreatthreat.indicator.geo.postal_codekeywordcore94040Postal code.
16098.11.0truethreatthreat.indicator.geo.region_iso_codekeywordcoreCA-QCRegion ISO code.
16108.11.0truethreatthreat.indicator.geo.region_namekeywordcoreQuebecRegion name.
16118.11.0truethreatthreat.indicator.geo.timezonekeywordcoreAmerica/Argentina/Buenos_AiresTime zone.
16128.11.0truethreatthreat.indicator.ipipextended1.2.3.4Indicator IP address
16138.11.0truethreatthreat.indicator.last_seendateextended2020-11-05T17:25:47.000ZDate/time indicator was last reported.
16148.11.0truethreatthreat.indicator.marking.tlpkeywordextendedCLEARIndicator TLP marking
16158.11.0truethreatthreat.indicator.marking.tlp_versionkeywordextended2.0Indicator TLP version
16168.11.0truethreatthreat.indicator.modified_atdateextended2020-11-05T17:25:47.000ZDate/time indicator was last updated.
16178.11.0truethreatthreat.indicator.namekeywordextended5.2.75.227Indicator display name
16188.11.0truethreatthreat.indicator.portlongextended443Indicator port
16198.11.0truethreatthreat.indicator.providerkeywordextendedlrz_urlhausIndicator provider
16208.11.0truethreatthreat.indicator.referencekeywordextendedhttps://system.example.com/indicator/0001234Indicator reference URL
16218.11.0truethreatthreat.indicator.registry.data.byteskeywordextendedZQBuAC0AVQBTAAAAZQBuAAAAAAA=Original bytes written with base64 encoding.
16228.11.0truethreatthreat.indicator.registry.data.stringskeywordcorearray["C:\rta\red_ttp\bin\myapp.exe"]List of strings representing what was written to the registry.
16238.11.0truethreatthreat.indicator.registry.data.typekeywordcoreREG_SZStandard registry type for encoding contents
16248.11.0truethreatthreat.indicator.registry.hivekeywordcoreHKLMAbbreviated name for the hive.
16258.11.0truethreatthreat.indicator.registry.keykeywordcoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exeHive-relative path of keys.
16268.11.0truethreatthreat.indicator.registry.pathkeywordcoreHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\DebuggerFull path, including hive, key and value
16278.11.0truethreatthreat.indicator.registry.valuekeywordcoreDebuggerName of the value written.
16288.11.0truethreatthreat.indicator.scanner_statslongextended4Scanner statistics
16298.11.0truethreatthreat.indicator.sightingslongextended20Number of times indicator observed
16308.11.0truethreatthreat.indicator.typekeywordextendedipv4-addrType of indicator
16318.11.0truethreatthreat.indicator.url.domainkeywordextendedwww.elastic.coDomain of the url.
16328.11.0truethreatthreat.indicator.url.extensionkeywordextendedpngFile extension from the request url, excluding the leading dot.
16338.11.0truethreatthreat.indicator.url.fragmentkeywordextendedPortion of the url after the `#`.
16348.11.0truethreatthreat.indicator.url.fullkeywordextendedhttps://www.elastic.co:443/search?q=elasticsearch#topFull unparsed URL.
16358.11.0truethreatthreat.indicator.url.full.textkeywordextendedhttps://www.elastic.co:443/search?q=elasticsearch#topFull unparsed URL.
16368.11.0truethreatthreat.indicator.url.originalkeywordextendedhttps://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearchUnmodified original url as seen in the event source.
16378.11.0truethreatthreat.indicator.url.original.textkeywordextendedhttps://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearchUnmodified original url as seen in the event source.
16388.11.0truethreatthreat.indicator.url.passwordkeywordextendedPassword of the request.
16398.11.0truethreatthreat.indicator.url.pathkeywordextendedPath of the request, such as "/search".
16408.11.0truethreatthreat.indicator.url.portlongextended443Port of the request, such as 443.
16418.11.0truethreatthreat.indicator.url.querykeywordextendedQuery string of the request.
16428.11.0truethreatthreat.indicator.url.registered_domainkeywordextendedexample.comThe highest registered url domain, stripped of the subdomain.
16438.11.0truethreatthreat.indicator.url.schemekeywordextendedhttpsScheme of the url.
16448.11.0truethreatthreat.indicator.url.subdomainkeywordextendedeastThe subdomain of the domain.
16458.11.0truethreatthreat.indicator.url.top_level_domainkeywordextendedco.ukThe effective top level domain (com, org, net, co.uk).
16468.11.0truethreatthreat.indicator.url.usernamekeywordextendedUsername of the request.
16478.11.0truethreatthreat.indicator.x509.alternative_nameskeywordextendedarray*.elastic.coList of subject alternative names (SAN).
16488.11.0truethreatthreat.indicator.x509.issuer.common_namekeywordextendedarrayExample SHA2 High Assurance Server CAList of common name (CN) of issuing certificate authority.
16498.11.0truethreatthreat.indicator.x509.issuer.countrykeywordextendedarrayUSList of country \(C) codes
16508.11.0truethreatthreat.indicator.x509.issuer.distinguished_namekeywordextendedC=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CADistinguished name (DN) of issuing certificate authority.
16518.11.0truethreatthreat.indicator.x509.issuer.localitykeywordextendedarrayMountain ViewList of locality names (L)
16528.11.0truethreatthreat.indicator.x509.issuer.organizationkeywordextendedarrayExample IncList of organizations (O) of issuing certificate authority.
16538.11.0truethreatthreat.indicator.x509.issuer.organizational_unitkeywordextendedarraywww.example.comList of organizational units (OU) of issuing certificate authority.
16548.11.0truethreatthreat.indicator.x509.issuer.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
16558.11.0truethreatthreat.indicator.x509.not_afterdateextended2020-07-16T03:15:39ZTime at which the certificate is no longer considered valid.
16568.11.0truethreatthreat.indicator.x509.not_beforedateextended2019-08-16T01:40:25ZTime at which the certificate is first considered valid.
16578.11.0truethreatthreat.indicator.x509.public_key_algorithmkeywordextendedRSAAlgorithm used to generate the public key.
16588.11.0truethreatthreat.indicator.x509.public_key_curvekeywordextendednistp521The curve used by the elliptic curve public key algorithm. This is algorithm specific.
16598.11.0falsethreatthreat.indicator.x509.public_key_exponentlongextended65537Exponent used to derive the public key. This is algorithm specific.
16608.11.0truethreatthreat.indicator.x509.public_key_sizelongextended2048The size of the public key space in bits.
16618.11.0truethreatthreat.indicator.x509.serial_numberkeywordextended55FBB9C7DEBF09809D12CCAAUnique serial number issued by the certificate authority.
16628.11.0truethreatthreat.indicator.x509.signature_algorithmkeywordextendedSHA256-RSAIdentifier for certificate signature algorithm.
16638.11.0truethreatthreat.indicator.x509.subject.common_namekeywordextendedarrayshared.global.example.netList of common names (CN) of subject.
16648.11.0truethreatthreat.indicator.x509.subject.countrykeywordextendedarrayUSList of country \(C) code
16658.11.0truethreatthreat.indicator.x509.subject.distinguished_namekeywordextendedC=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.netDistinguished name (DN) of the certificate subject entity.
16668.11.0truethreatthreat.indicator.x509.subject.localitykeywordextendedarraySan FranciscoList of locality names (L)
16678.11.0truethreatthreat.indicator.x509.subject.organizationkeywordextendedarrayExample, Inc.List of organizations (O) of subject.
16688.11.0truethreatthreat.indicator.x509.subject.organizational_unitkeywordextendedarrayList of organizational units (OU) of subject.
16698.11.0truethreatthreat.indicator.x509.subject.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
16708.11.0truethreatthreat.indicator.x509.version_numberkeywordextended3Version of x509 format.
16718.11.0truethreatthreat.software.aliaskeywordextendedarray[ "X-Agent" ]Alias of the software
16728.11.0truethreatthreat.software.idkeywordextendedS0552ID of the software
16738.11.0truethreatthreat.software.namekeywordextendedAdFindName of the software.
16748.11.0truethreatthreat.software.platformskeywordextendedarray[ "Windows" ]Platforms of the software.
16758.11.0truethreatthreat.software.referencekeywordextendedhttps://attack.mitre.org/software/S0552/Software reference URL.
16768.11.0truethreatthreat.software.typekeywordextendedToolSoftware type.
16778.11.0truethreatthreat.tactic.idkeywordextendedarrayTA0002Threat tactic id.
16788.11.0truethreatthreat.tactic.namekeywordextendedarrayExecutionThreat tactic.
16798.11.0truethreatthreat.tactic.referencekeywordextendedarrayhttps://attack.mitre.org/tactics/TA0002/Threat tactic URL reference.
16808.11.0truethreatthreat.technique.idkeywordextendedarrayT1059Threat technique id.
16818.11.0truethreatthreat.technique.namekeywordextendedarrayCommand and Scripting InterpreterThreat technique name.
16828.11.0truethreatthreat.technique.name.textkeywordextendedCommand and Scripting InterpreterThreat technique name.
16838.11.0truethreatthreat.technique.referencekeywordextendedarrayhttps://attack.mitre.org/techniques/T1059/Threat technique URL reference.
16848.11.0truethreatthreat.technique.subtechnique.idkeywordextendedarrayT1059.001Threat subtechnique id.
16858.11.0truethreatthreat.technique.subtechnique.namekeywordextendedarrayPowerShellThreat subtechnique name.
16868.11.0truethreatthreat.technique.subtechnique.name.textkeywordextendedPowerShellThreat subtechnique name.
16878.11.0truethreatthreat.technique.subtechnique.referencekeywordextendedarrayhttps://attack.mitre.org/techniques/T1059/001/Threat subtechnique URL reference.
16888.11.0truetlstls.cipherkeywordextendedTLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256String indicating the cipher used during the current connection.
16898.11.0truetlstls.client.certificatekeywordextendedMII...PEM-encoded stand-alone certificate offered by the client.
16908.11.0truetlstls.client.certificate_chainkeywordextendedarray["MII...", "MII..."]Array of PEM-encoded certificates that make up the certificate chain offered by the client.
16918.11.0truetlstls.client.hash.md5keywordextended0F76C7F2C55BFD7D8E8B8F4BFBF0C9ECCertificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
16928.11.0truetlstls.client.hash.sha1keywordextended9E393D93138888D288266C2D915214D1D1CCEB2ACertificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
16938.11.0truetlstls.client.hash.sha256keywordextended0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
16948.11.0truetlstls.client.issuerkeywordextendedCN=Example Root CA, OU=Infrastructure Team, DC=example, DC=comDistinguished name of subject of the issuer of the x.509 certificate presented by the client.
16958.11.0truetlstls.client.ja3keywordextendedd4e5b18d6b55c71272893221c96ba240A hash that identifies clients based on how they perform an SSL/TLS handshake.
16968.11.0truetlstls.client.not_afterdateextended2021-01-01T00:00:00.000ZDate/Time indicating when client certificate is no longer considered valid.
16978.11.0truetlstls.client.not_beforedateextended1970-01-01T00:00:00.000ZDate/Time indicating when client certificate is first considered valid.
16988.11.0truetlstls.client.server_namekeywordextendedwww.elastic.coHostname the client is trying to connect to. Also called the SNI.
16998.11.0truetlstls.client.subjectkeywordextendedCN=myclient, OU=Documentation Team, DC=example, DC=comDistinguished name of subject of the x.509 certificate presented by the client.
17008.11.0truetlstls.client.supported_cipherskeywordextendedarray["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]Array of ciphers offered by the client during the client hello.
17018.11.0truetlstls.client.x509.alternative_nameskeywordextendedarray*.elastic.coList of subject alternative names (SAN).
17028.11.0truetlstls.client.x509.issuer.common_namekeywordextendedarrayExample SHA2 High Assurance Server CAList of common name (CN) of issuing certificate authority.
17038.11.0truetlstls.client.x509.issuer.countrykeywordextendedarrayUSList of country \(C) codes
17048.11.0truetlstls.client.x509.issuer.distinguished_namekeywordextendedC=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CADistinguished name (DN) of issuing certificate authority.
17058.11.0truetlstls.client.x509.issuer.localitykeywordextendedarrayMountain ViewList of locality names (L)
17068.11.0truetlstls.client.x509.issuer.organizationkeywordextendedarrayExample IncList of organizations (O) of issuing certificate authority.
17078.11.0truetlstls.client.x509.issuer.organizational_unitkeywordextendedarraywww.example.comList of organizational units (OU) of issuing certificate authority.
17088.11.0truetlstls.client.x509.issuer.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
17098.11.0truetlstls.client.x509.not_afterdateextended2020-07-16T03:15:39ZTime at which the certificate is no longer considered valid.
17108.11.0truetlstls.client.x509.not_beforedateextended2019-08-16T01:40:25ZTime at which the certificate is first considered valid.
17118.11.0truetlstls.client.x509.public_key_algorithmkeywordextendedRSAAlgorithm used to generate the public key.
17128.11.0truetlstls.client.x509.public_key_curvekeywordextendednistp521The curve used by the elliptic curve public key algorithm. This is algorithm specific.
17138.11.0falsetlstls.client.x509.public_key_exponentlongextended65537Exponent used to derive the public key. This is algorithm specific.
17148.11.0truetlstls.client.x509.public_key_sizelongextended2048The size of the public key space in bits.
17158.11.0truetlstls.client.x509.serial_numberkeywordextended55FBB9C7DEBF09809D12CCAAUnique serial number issued by the certificate authority.
17168.11.0truetlstls.client.x509.signature_algorithmkeywordextendedSHA256-RSAIdentifier for certificate signature algorithm.
17178.11.0truetlstls.client.x509.subject.common_namekeywordextendedarrayshared.global.example.netList of common names (CN) of subject.
17188.11.0truetlstls.client.x509.subject.countrykeywordextendedarrayUSList of country \(C) code
17198.11.0truetlstls.client.x509.subject.distinguished_namekeywordextendedC=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.netDistinguished name (DN) of the certificate subject entity.
17208.11.0truetlstls.client.x509.subject.localitykeywordextendedarraySan FranciscoList of locality names (L)
17218.11.0truetlstls.client.x509.subject.organizationkeywordextendedarrayExample, Inc.List of organizations (O) of subject.
17228.11.0truetlstls.client.x509.subject.organizational_unitkeywordextendedarrayList of organizational units (OU) of subject.
17238.11.0truetlstls.client.x509.subject.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
17248.11.0truetlstls.client.x509.version_numberkeywordextended3Version of x509 format.
17258.11.0truetlstls.curvekeywordextendedsecp256r1String indicating the curve used for the given cipher, when applicable.
17268.11.0truetlstls.establishedbooleanextendedBoolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
17278.11.0truetlstls.next_protocolkeywordextendedhttp/1.1String indicating the protocol being tunneled.
17288.11.0truetlstls.resumedbooleanextendedBoolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.
17298.11.0truetlstls.server.certificatekeywordextendedMII...PEM-encoded stand-alone certificate offered by the server.
17308.11.0truetlstls.server.certificate_chainkeywordextendedarray["MII...", "MII..."]Array of PEM-encoded certificates that make up the certificate chain offered by the server.
17318.11.0truetlstls.server.hash.md5keywordextended0F76C7F2C55BFD7D8E8B8F4BFBF0C9ECCertificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
17328.11.0truetlstls.server.hash.sha1keywordextended9E393D93138888D288266C2D915214D1D1CCEB2ACertificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
17338.11.0truetlstls.server.hash.sha256keywordextended0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
17348.11.0truetlstls.server.issuerkeywordextendedCN=Example Root CA, OU=Infrastructure Team, DC=example, DC=comSubject of the issuer of the x.509 certificate presented by the server.
17358.11.0truetlstls.server.ja3skeywordextended394441ab65754e2207b1e1b457b3641dA hash that identifies servers based on how they perform an SSL/TLS handshake.
17368.11.0truetlstls.server.not_afterdateextended2021-01-01T00:00:00.000ZTimestamp indicating when server certificate is no longer considered valid.
17378.11.0truetlstls.server.not_beforedateextended1970-01-01T00:00:00.000ZTimestamp indicating when server certificate is first considered valid.
17388.11.0truetlstls.server.subjectkeywordextendedCN=www.example.com, OU=Infrastructure Team, DC=example, DC=comSubject of the x.509 certificate presented by the server.
17398.11.0truetlstls.server.x509.alternative_nameskeywordextendedarray*.elastic.coList of subject alternative names (SAN).
17408.11.0truetlstls.server.x509.issuer.common_namekeywordextendedarrayExample SHA2 High Assurance Server CAList of common name (CN) of issuing certificate authority.
17418.11.0truetlstls.server.x509.issuer.countrykeywordextendedarrayUSList of country \(C) codes
17428.11.0truetlstls.server.x509.issuer.distinguished_namekeywordextendedC=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CADistinguished name (DN) of issuing certificate authority.
17438.11.0truetlstls.server.x509.issuer.localitykeywordextendedarrayMountain ViewList of locality names (L)
17448.11.0truetlstls.server.x509.issuer.organizationkeywordextendedarrayExample IncList of organizations (O) of issuing certificate authority.
17458.11.0truetlstls.server.x509.issuer.organizational_unitkeywordextendedarraywww.example.comList of organizational units (OU) of issuing certificate authority.
17468.11.0truetlstls.server.x509.issuer.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
17478.11.0truetlstls.server.x509.not_afterdateextended2020-07-16T03:15:39ZTime at which the certificate is no longer considered valid.
17488.11.0truetlstls.server.x509.not_beforedateextended2019-08-16T01:40:25ZTime at which the certificate is first considered valid.
17498.11.0truetlstls.server.x509.public_key_algorithmkeywordextendedRSAAlgorithm used to generate the public key.
17508.11.0truetlstls.server.x509.public_key_curvekeywordextendednistp521The curve used by the elliptic curve public key algorithm. This is algorithm specific.
17518.11.0falsetlstls.server.x509.public_key_exponentlongextended65537Exponent used to derive the public key. This is algorithm specific.
17528.11.0truetlstls.server.x509.public_key_sizelongextended2048The size of the public key space in bits.
17538.11.0truetlstls.server.x509.serial_numberkeywordextended55FBB9C7DEBF09809D12CCAAUnique serial number issued by the certificate authority.
17548.11.0truetlstls.server.x509.signature_algorithmkeywordextendedSHA256-RSAIdentifier for certificate signature algorithm.
17558.11.0truetlstls.server.x509.subject.common_namekeywordextendedarrayshared.global.example.netList of common names (CN) of subject.
17568.11.0truetlstls.server.x509.subject.countrykeywordextendedarrayUSList of country \(C) code
17578.11.0truetlstls.server.x509.subject.distinguished_namekeywordextendedC=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.netDistinguished name (DN) of the certificate subject entity.
17588.11.0truetlstls.server.x509.subject.localitykeywordextendedarraySan FranciscoList of locality names (L)
17598.11.0truetlstls.server.x509.subject.organizationkeywordextendedarrayExample, Inc.List of organizations (O) of subject.
17608.11.0truetlstls.server.x509.subject.organizational_unitkeywordextendedarrayList of organizational units (OU) of subject.
17618.11.0truetlstls.server.x509.subject.state_or_provincekeywordextendedarrayCaliforniaList of state or province names (ST, S, or P)
17628.11.0truetlstls.server.x509.version_numberkeywordextended3Version of x509 format.
17638.11.0truetlstls.versionkeywordextended1.2Numeric part of the version parsed from the original string.
17648.11.0truetlstls.version_protocolkeywordextendedtlsNormalized lowercase protocol name parsed from original string.
17658.11.0truetracetrace.idkeywordextended4bf92f3577b34da6a3ce929d0e0e4736Unique identifier of the trace.
17668.11.0truetransactiontransaction.idkeywordextended00f067aa0ba902b7Unique identifier of the transaction within the scope of its trace.
17678.11.0trueurlurl.domainkeywordextendedwww.elastic.coDomain of the url.
17688.11.0trueurlurl.extensionkeywordextendedpngFile extension from the request url, excluding the leading dot.
17698.11.0trueurlurl.fragmentkeywordextendedPortion of the url after the `#`.
17708.11.0trueurlurl.fullkeywordextendedhttps://www.elastic.co:443/search?q=elasticsearch#topFull unparsed URL.
17718.11.0trueurlurl.full.textkeywordextendedhttps://www.elastic.co:443/search?q=elasticsearch#topFull unparsed URL.
17728.11.0trueurlurl.originalkeywordextendedhttps://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearchUnmodified original url as seen in the event source.
17738.11.0trueurlurl.original.textkeywordextendedhttps://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearchUnmodified original url as seen in the event source.
17748.11.0trueurlurl.passwordkeywordextendedPassword of the request.
17758.11.0trueurlurl.pathkeywordextendedPath of the request, such as "/search".
17768.11.0trueurlurl.portlongextended443Port of the request, such as 443.
17778.11.0trueurlurl.querykeywordextendedQuery string of the request.
17788.11.0trueurlurl.registered_domainkeywordextendedexample.comThe highest registered url domain, stripped of the subdomain.
17798.11.0trueurlurl.schemekeywordextendedhttpsScheme of the url.
17808.11.0trueurlurl.subdomainkeywordextendedeastThe subdomain of the domain.
17818.11.0trueurlurl.top_level_domainkeywordextendedco.ukThe effective top level domain (com, org, net, co.uk).
17828.11.0trueurlurl.usernamekeywordextendedUsername of the request.
17838.11.0trueuseruser.changes.domainkeywordextendedName of the directory the user is a member of.
17848.11.0trueuseruser.changes.emailkeywordextendedUser email address.
17858.11.0trueuseruser.changes.full_namekeywordextendedAlbert EinsteinUser's full name, if available.
17868.11.0trueuseruser.changes.full_name.textkeywordextendedAlbert EinsteinUser's full name, if available.
17878.11.0trueuseruser.changes.group.domainkeywordextendedName of the directory the group is a member of.
17888.11.0trueuseruser.changes.group.idkeywordextendedUnique identifier for the group on the system/platform.
17898.11.0trueuseruser.changes.group.namekeywordextendedName of the group.
17908.11.0trueuseruser.changes.hashkeywordextendedUnique user hash to correlate information for a user in anonymized form.
17918.11.0trueuseruser.changes.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
17928.11.0trueuseruser.changes.namekeywordcorea.einsteinShort name or login of the user.
17938.11.0trueuseruser.changes.name.textkeywordcorea.einsteinShort name or login of the user.
17948.11.0trueuseruser.changes.roleskeywordextendedarray["kibana_admin", "reporting_user"]Array of user roles at the time of the event.
17958.11.0trueuseruser.domainkeywordextendedName of the directory the user is a member of.
17968.11.0trueuseruser.effective.domainkeywordextendedName of the directory the user is a member of.
17978.11.0trueuseruser.effective.emailkeywordextendedUser email address.
17988.11.0trueuseruser.effective.full_namekeywordextendedAlbert EinsteinUser's full name, if available.
17998.11.0trueuseruser.effective.full_name.textkeywordextendedAlbert EinsteinUser's full name, if available.
18008.11.0trueuseruser.effective.group.domainkeywordextendedName of the directory the group is a member of.
18018.11.0trueuseruser.effective.group.idkeywordextendedUnique identifier for the group on the system/platform.
18028.11.0trueuseruser.effective.group.namekeywordextendedName of the group.
18038.11.0trueuseruser.effective.hashkeywordextendedUnique user hash to correlate information for a user in anonymized form.
18048.11.0trueuseruser.effective.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
18058.11.0trueuseruser.effective.namekeywordcorea.einsteinShort name or login of the user.
18068.11.0trueuseruser.effective.name.textkeywordcorea.einsteinShort name or login of the user.
18078.11.0trueuseruser.effective.roleskeywordextendedarray["kibana_admin", "reporting_user"]Array of user roles at the time of the event.
18088.11.0trueuseruser.emailkeywordextendedUser email address.
18098.11.0trueuseruser.full_namekeywordextendedAlbert EinsteinUser's full name, if available.
18108.11.0trueuseruser.full_name.textkeywordextendedAlbert EinsteinUser's full name, if available.
18118.11.0trueuseruser.group.domainkeywordextendedName of the directory the group is a member of.
18128.11.0trueuseruser.group.idkeywordextendedUnique identifier for the group on the system/platform.
18138.11.0trueuseruser.group.namekeywordextendedName of the group.
18148.11.0trueuseruser.hashkeywordextendedUnique user hash to correlate information for a user in anonymized form.
18158.11.0trueuseruser.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
18168.11.0trueuseruser.namekeywordcorea.einsteinShort name or login of the user.
18178.11.0trueuseruser.name.textkeywordcorea.einsteinShort name or login of the user.
18188.11.0trueuseruser.risk.calculated_levelkeywordextendedHighA risk classification level calculated by an internal system as part of entity analytics and entity risk scoring.
18198.11.0trueuseruser.risk.calculated_scorefloatextended880.73A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring.
18208.11.0trueuseruser.risk.calculated_score_normfloatextended88.73A normalized risk score calculated by an internal system.
18218.11.0trueuseruser.risk.static_levelkeywordextendedHighA risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform.
18228.11.0trueuseruser.risk.static_scorefloatextended830.0A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform.
18238.11.0trueuseruser.risk.static_score_normfloatextended83.0A normalized risk score calculated by an external system.
18248.11.0trueuseruser.roleskeywordextendedarray["kibana_admin", "reporting_user"]Array of user roles at the time of the event.
18258.11.0trueuseruser.target.domainkeywordextendedName of the directory the user is a member of.
18268.11.0trueuseruser.target.emailkeywordextendedUser email address.
18278.11.0trueuseruser.target.full_namekeywordextendedAlbert EinsteinUser's full name, if available.
18288.11.0trueuseruser.target.full_name.textkeywordextendedAlbert EinsteinUser's full name, if available.
18298.11.0trueuseruser.target.group.domainkeywordextendedName of the directory the group is a member of.
18308.11.0trueuseruser.target.group.idkeywordextendedUnique identifier for the group on the system/platform.
18318.11.0trueuseruser.target.group.namekeywordextendedName of the group.
18328.11.0trueuseruser.target.hashkeywordextendedUnique user hash to correlate information for a user in anonymized form.
18338.11.0trueuseruser.target.idkeywordcoreS-1-5-21-202424912787-2692429404-2351956786-1000Unique identifier of the user.
18348.11.0trueuseruser.target.namekeywordcorea.einsteinShort name or login of the user.
18358.11.0trueuseruser.target.name.textkeywordcorea.einsteinShort name or login of the user.
18368.11.0trueuseruser.target.roleskeywordextendedarray["kibana_admin", "reporting_user"]Array of user roles at the time of the event.
18378.11.0trueuser_agentuser_agent.device.namekeywordextendediPhoneName of the device.
18388.11.0trueuser_agentuser_agent.namekeywordextendedSafariName of the user agent.
18398.11.0trueuser_agentuser_agent.originalkeywordextendedMozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1Unparsed user_agent string.
18408.11.0trueuser_agentuser_agent.original.textkeywordextendedMozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1Unparsed user_agent string.
18418.11.0trueuser_agentuser_agent.os.familykeywordextendeddebianOS family (such as redhat, debian, freebsd, windows).
18428.11.0trueuser_agentuser_agent.os.fullkeywordextendedMac OS MojaveOperating system name, including the version or code name.
18438.11.0trueuser_agentuser_agent.os.full.textkeywordextendedMac OS MojaveOperating system name, including the version or code name.
18448.11.0trueuser_agentuser_agent.os.kernelkeywordextended4.4.0-112-genericOperating system kernel version as a raw string.
18458.11.0trueuser_agentuser_agent.os.namekeywordextendedMac OS XOperating system name, without the version.
18468.11.0trueuser_agentuser_agent.os.name.textkeywordextendedMac OS XOperating system name, without the version.
18478.11.0trueuser_agentuser_agent.os.platformkeywordextendeddarwinOperating system platform (such centos, ubuntu, windows).
18488.11.0trueuser_agentuser_agent.os.typekeywordextendedmacosWhich commercial OS family (one of: linux, macos, unix, windows, ios or android).
18498.11.0trueuser_agentuser_agent.os.versionkeywordextended10.14.1Operating system version as a raw string.
18508.11.0trueuser_agentuser_agent.versionkeywordextended12.0Version of the user agent.
18518.11.0truevulnerabilityvulnerability.categorykeywordextendedarray["Firewall"]Category of a vulnerability.
18528.11.0truevulnerabilityvulnerability.classificationkeywordextendedCVSSClassification of the vulnerability.
18538.11.0truevulnerabilityvulnerability.descriptionkeywordextendedIn macOS before 2.12.6, there is a vulnerability in the RPC...Description of the vulnerability.
18548.11.0truevulnerabilityvulnerability.description.textkeywordextendedIn macOS before 2.12.6, there is a vulnerability in the RPC...Description of the vulnerability.
18558.11.0truevulnerabilityvulnerability.enumerationkeywordextendedCVEIdentifier of the vulnerability.
18568.11.0truevulnerabilityvulnerability.idkeywordextendedCVE-2019-00001ID of the vulnerability.
18578.11.0truevulnerabilityvulnerability.referencekeywordextendedhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111Reference of the vulnerability.
18588.11.0truevulnerabilityvulnerability.report_idkeywordextended20191018.0001Scan identification number.
18598.11.0truevulnerabilityvulnerability.scanner.referencekeywordcustomhttps://www.example.com/vulnerability/12345Scanner's resource that provides additional information, context, and mitigations for the identified vulnerability.
18608.11.0truevulnerabilityvulnerability.scanner.vendorkeywordextendedTenableName of the scanner vendor.
18618.11.0truevulnerabilityvulnerability.score.basefloatextended5.5Vulnerability Base score.
18628.11.0truevulnerabilityvulnerability.score.environmentalfloatextended5.5Vulnerability Environmental score.
18638.11.0truevulnerabilityvulnerability.score.temporalfloatextendedVulnerability Temporal score.
18648.11.0truevulnerabilityvulnerability.score.versionkeywordextended2.0CVSS version.
18658.11.0truevulnerabilityvulnerability.severitykeywordextendedCriticalSeverity of the vulnerability.
18668.11.0truewazuhwazuh.cluster.namekeywordcustomwazuh-cluster-1Wazuh cluster name.
18678.11.0truewazuhwazuh.cluster.nodekeywordcustomwazuh-cluster-node-1Wazuh cluster node name.
18688.11.0truewazuhwazuh.decoderskeywordcustoma, r, r, a, y[ 'decoder-1', 'decoder-2' ]Wazuh decoders that matched on this event.
18698.11.0truewazuhwazuh.ruleskeywordcustoma, r, r, a, y[ 'rule-1', 'rule-2' ]Wazuh rules that matched on this event.
18708.11.0truewazuhwazuh.schema.versionkeywordcustom1.7.0Wazuh schema version.