From bf2336e90a4b886e818b414205703e6ea073001f Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Thu, 3 Dec 2020 11:14:23 -0600 Subject: [PATCH] beta labeled artifacts --- docs/field-details.asciidoc | 210 ++- experimental/generated/beats/fields.ecs.yml | 1 - experimental/generated/csv/fields.csv | 1443 +++++++++-------- experimental/generated/ecs/ecs_flat.yml | 204 ++- experimental/generated/ecs/ecs_nested.yml | 218 ++- .../generated/elasticsearch/7/template.json | 2 - generated/beats/fields.ecs.yml | 1 - generated/csv/fields.csv | 6 +- generated/ecs/ecs_flat.yml | 186 ++- generated/ecs/ecs_nested.yml | 200 ++- generated/elasticsearch/6/template.json | 2 - generated/elasticsearch/7/template.json | 2 - 12 files changed, 1684 insertions(+), 791 deletions(-) diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index ffa2417970..fe8bd0ed64 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -115,7 +115,9 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha [[field-agent-build-original]] <> -| Extended build information for the agent. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. @@ -255,7 +257,9 @@ example: `15169` [[field-as-organization-name]] <> -| Organization name. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Organization name. type: wildcard @@ -341,7 +345,9 @@ example: `184` [[field-client-domain]] <> -| Client domain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Client domain. type: wildcard @@ -457,7 +463,9 @@ type: long [[field-client-registered-domain]] <> -| The highest registered client domain, stripped of the subdomain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -1015,7 +1023,9 @@ example: `184` [[field-destination-domain]] <> -| Destination domain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Destination domain. type: wildcard @@ -1131,7 +1141,9 @@ type: long [[field-destination-registered-domain]] <> -| The highest registered destination domain, stripped of the subdomain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -1378,7 +1390,9 @@ example: `IN` [[field-dns-answers-data]] <> -| The data describing the resource. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The data describing the resource. The meaning of this data depends on the type and class of the resource record. @@ -1515,7 +1529,9 @@ example: `IN` [[field-dns-question-name]] <> -| The name being queried. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. @@ -1762,7 +1778,9 @@ type: text [[field-error-stack-trace]] <> -| The stack trace of this error in plain text. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The stack trace of this error in plain text. type: wildcard @@ -1784,7 +1802,9 @@ Multi-fields: [[field-error-type]] <> -| The type of the error, for example the class name of the exception. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The type of the error, for example the class name of the exception. type: wildcard @@ -2423,7 +2443,9 @@ example: `sda` [[field-file-directory]] <> -| Directory where the file is located. It should include the drive letter, when appropriate. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Directory where the file is located. It should include the drive letter, when appropriate. type: wildcard @@ -2603,7 +2625,9 @@ example: `alice` [[field-file-path]] <> -| Full path to the file, including the file name. It should include the drive letter, when appropriate. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Full path to the file, including the file name. It should include the drive letter, when appropriate. type: wildcard @@ -2643,7 +2667,9 @@ example: `16384` [[field-file-target-path]] <> -| Target path for symlinks. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Target path for symlinks. type: wildcard @@ -2838,7 +2864,9 @@ example: `{ "lon": -73.614830, "lat": 45.505918 }` [[field-geo-name]] <> -| User-defined description of a location, at the level of granularity they care about. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. @@ -3120,7 +3148,9 @@ example: `CONTOSO` [[field-host-hostname]] <> -| Hostname of the host. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Hostname of the host. It normally contains what the `hostname` command returns on the host machine. @@ -3317,7 +3347,9 @@ example: `887` [[field-http-request-body-content]] <> -| The full HTTP request body. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The full HTTP request body. type: wildcard @@ -3395,7 +3427,9 @@ example: `image/gif` [[field-http-request-referrer]] <> -| Referrer for this HTTP request. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Referrer for this HTTP request. type: wildcard @@ -3427,7 +3461,9 @@ example: `887` [[field-http-response-body-content]] <> -| The full HTTP response body. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The full HTTP response body. type: wildcard @@ -3609,7 +3645,9 @@ The details specific to your event source are typically not logged under `log.*` [[field-log-file-path]] <> -| Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. @@ -3647,7 +3685,9 @@ example: `error` [[field-log-logger]] <> -| The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. type: wildcard @@ -4443,7 +4483,9 @@ type: keyword [[field-organization-name]] <> -| Organization name. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Organization name. type: wildcard @@ -4497,7 +4539,9 @@ example: `debian` [[field-os-full]] <> -| Operating system name, including the version or code name. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Operating system name, including the version or code name. type: wildcard @@ -4535,7 +4579,9 @@ example: `4.4.0-112-generic` [[field-os-name]] <> -| Operating system name, without the version. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Operating system name, without the version. type: wildcard @@ -4947,7 +4993,9 @@ example: `0c6803c4e922103c4dca5963aad36ddf` [[field-pe-original-file-name]] <> -| Internal name of the file, provided at compile-time. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Internal name of the file, provided at compile-time. type: wildcard @@ -5046,7 +5094,9 @@ example: `4` [[field-process-command-line]] <> -| Full command line that started the process, including the absolute path to the executable, and all arguments. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. @@ -5090,7 +5140,9 @@ example: `c2c455d9f99375d` [[field-process-executable]] <> -| Absolute path to the process executable. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Absolute path to the process executable. type: wildcard @@ -5130,7 +5182,9 @@ example: `137` [[field-process-name]] <> -| Process name. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Process name. Sometimes called program name or similar. @@ -5234,7 +5288,9 @@ example: `4242` [[field-process-thread-name]] <> -| Thread name. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Thread name. type: wildcard @@ -5250,7 +5306,9 @@ example: `thread-0` [[field-process-title]] <> -| Process title. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. @@ -5290,7 +5348,9 @@ example: `1325` [[field-process-working-directory]] <> -| The working directory of the process. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The working directory of the process. type: wildcard @@ -5393,7 +5453,9 @@ example: `ZQBuAC0AVQBTAAAAZQBuAAAAAAA=` [[field-registry-data-strings]] <> -| Content when writing string types. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). @@ -5446,7 +5508,9 @@ example: `HKLM` [[field-registry-key]] <> -| Hive-relative path of keys. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Hive-relative path of keys. type: wildcard @@ -5462,7 +5526,9 @@ example: `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti [[field-registry-path]] <> -| Full path, including hive, key and value +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Full path, including hive, key and value type: wildcard @@ -5827,7 +5893,9 @@ example: `184` [[field-server-domain]] <> -| Server domain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Server domain. type: wildcard @@ -5943,7 +6011,9 @@ type: long [[field-server-registered-domain]] <> -| The highest registered server domain, stripped of the subdomain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -6238,7 +6308,9 @@ example: `184` [[field-source-domain]] <> -| Source domain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Source domain. type: wildcard @@ -6354,7 +6426,9 @@ type: long [[field-source-registered-domain]] <> -| The highest registered source domain, stripped of the subdomain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -6779,7 +6853,9 @@ example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` [[field-tls-client-issuer]] <> -| Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Distinguished name of subject of the issuer of the x.509 certificate presented by the client. type: wildcard @@ -6859,7 +6935,9 @@ example: `www.elastic.co` [[field-tls-client-subject]] <> -| Distinguished name of subject of the x.509 certificate presented by the client. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Distinguished name of subject of the x.509 certificate presented by the client. type: wildcard @@ -7041,7 +7119,9 @@ example: `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` [[field-tls-server-issuer]] <> -| Subject of the issuer of the x.509 certificate presented by the server. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Subject of the issuer of the x.509 certificate presented by the server. type: wildcard @@ -7105,7 +7185,9 @@ example: `1970-01-01T00:00:00.000Z` [[field-tls-server-subject]] <> -| Subject of the x.509 certificate presented by the server. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Subject of the x.509 certificate presented by the server. type: wildcard @@ -7272,10 +7354,14 @@ URL fields provide support for complete or partial URLs, and supports the breaki [[field-url-domain]] <> -| Domain of the url, such as "www.elastic.co". +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. + type: wildcard @@ -7330,7 +7416,9 @@ type: keyword [[field-url-full]] <> -| If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. type: wildcard @@ -7352,7 +7440,9 @@ example: `https://www.elastic.co:443/search?q=elasticsearch#top` [[field-url-original]] <> -| Unmodified original url as seen in the event source. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. @@ -7394,7 +7484,9 @@ type: keyword [[field-url-path]] <> -| Path of the request, such as "/search". +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Path of the request, such as "/search". type: wildcard @@ -7444,7 +7536,9 @@ type: keyword [[field-url-registered-domain]] <> -| The highest registered url domain, stripped of the subdomain. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -7570,7 +7664,9 @@ type: keyword [[field-user-email]] <> -| User email address. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +User email address. type: wildcard @@ -7586,7 +7682,9 @@ type: wildcard [[field-user-full-name]] <> -| User's full name, if available. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +User's full name, if available. type: wildcard @@ -7642,7 +7740,9 @@ type: keyword [[field-user-name]] <> -| Short name or login of the user. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Short name or login of the user. type: wildcard @@ -7762,7 +7862,9 @@ example: `Safari` [[field-user-agent-original]] <> -| Unparsed user_agent string. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Unparsed user_agent string. type: wildcard @@ -8209,7 +8311,9 @@ example: `US` [[field-x509-issuer-distinguished-name]] <> -| Distinguished name (DN) of issuing certificate authority. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Distinguished name (DN) of issuing certificate authority. type: wildcard @@ -8467,7 +8571,9 @@ example: `US` [[field-x509-subject-distinguished-name]] <> -| Distinguished name (DN) of the certificate subject entity. +| beta:[ Note the usage of `wildcard` type is considered beta. This field used to be type `keyword`. ] + +Distinguished name (DN) of the certificate subject entity. type: wildcard diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 4951c79c89..76143acb9e 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1173,7 +1173,6 @@ norms: false default_field: false description: The stack trace of this error in plain text. - index: false - name: type level: extended type: wildcard diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index f775238ade..c4438dfff9 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -1,721 +1,724 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description -2.0.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. -2.0.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. -2.0.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. -2.0.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. -2.0.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. -2.0.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. -2.0.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. -2.0.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. -2.0.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. -2.0.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. -2.0.0-dev,true,client,client.address,keyword,extended,,,Client network address. -2.0.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -2.0.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. -2.0.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. -2.0.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. -2.0.0-dev,true,client,client.domain,wildcard,core,,,Client domain. -2.0.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev,true,client,client.ip,ip,core,,,IP address of the client. -2.0.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client. -2.0.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address -2.0.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port -2.0.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. -2.0.0-dev,true,client,client.port,long,core,,,Port of the client. -2.0.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." -2.0.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. -2.0.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,client,client.user.email,wildcard,extended,,,User email address. -2.0.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. -2.0.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. -2.0.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. -2.0.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -2.0.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. -2.0.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -2.0.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. -2.0.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. -2.0.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. -2.0.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. -2.0.0-dev,true,container,container.id,keyword,core,,,Unique container id. -2.0.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. -2.0.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. -2.0.0-dev,true,container,container.labels,object,extended,,,Image labels. -2.0.0-dev,true,container,container.name,keyword,extended,,,Container name. -2.0.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. -2.0.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. -2.0.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -2.0.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. -2.0.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. -2.0.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. -2.0.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain. -2.0.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. -2.0.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination. -2.0.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip -2.0.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port -2.0.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. -2.0.0-dev,true,destination,destination.port,long,core,,,Port of the destination. -2.0.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." -2.0.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. -2.0.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address. -2.0.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -2.0.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -2.0.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -2.0.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -2.0.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -2.0.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. -2.0.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. -2.0.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. -2.0.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. -2.0.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. -2.0.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -2.0.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -2.0.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -2.0.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -2.0.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -2.0.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -2.0.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. -2.0.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. -2.0.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. -2.0.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. -2.0.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. -2.0.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. -2.0.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. -2.0.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. -2.0.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. -2.0.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. -2.0.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. -2.0.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." -2.0.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. -2.0.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. -2.0.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data -2.0.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. -2.0.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." -2.0.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. -2.0.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. -2.0.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. -2.0.0-dev,true,error,error.message,text,core,,,Error message. -2.0.0-dev,false,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. -2.0.0-dev,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. -2.0.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." -2.0.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. -2.0.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -2.0.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. -2.0.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -2.0.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. -2.0.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. -2.0.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. -2.0.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -2.0.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -2.0.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -2.0.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -2.0.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. -2.0.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -2.0.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -2.0.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. -2.0.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -2.0.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -2.0.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -2.0.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -2.0.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event. -2.0.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event. -2.0.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. -2.0.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone. -2.0.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -2.0.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -2.0.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. -2.0.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -2.0.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -2.0.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -2.0.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -2.0.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -2.0.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -2.0.0-dev,true,file,file.created,date,extended,,,File creation time. -2.0.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. -2.0.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. -2.0.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. -2.0.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -2.0.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -2.0.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -2.0.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. -2.0.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. -2.0.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. -2.0.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. -2.0.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -2.0.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -2.0.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. -2.0.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. -2.0.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -2.0.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. -2.0.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." -2.0.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -2.0.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -2.0.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -2.0.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -2.0.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -2.0.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -2.0.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -2.0.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. -2.0.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. -2.0.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. -2.0.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -2.0.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -2.0.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -2.0.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -2.0.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -2.0.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -2.0.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -2.0.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -2.0.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -2.0.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -2.0.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -2.0.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -2.0.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -2.0.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -2.0.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -2.0.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -2.0.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -2.0.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -2.0.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code -2.0.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -2.0.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -2.0.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -2.0.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -2.0.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. -2.0.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,group,group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. -2.0.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. -2.0.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host. -2.0.0-dev,true,host,host.id,keyword,core,,,Unique host id. -2.0.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. -2.0.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. -2.0.0-dev,true,host,host.name,keyword,core,,,Name of the host. -2.0.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -2.0.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -2.0.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -2.0.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -2.0.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -2.0.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -2.0.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -2.0.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -2.0.0-dev,true,host,host.type,keyword,core,,,Type of host. -2.0.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. -2.0.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,host,host.user.email,wildcard,extended,,,User email address. -2.0.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. -2.0.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. -2.0.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. -2.0.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). -2.0.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. -2.0.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. -2.0.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. -2.0.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. -2.0.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. -2.0.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. -2.0.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). -2.0.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. -2.0.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. -2.0.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. -2.0.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. -2.0.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. -2.0.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. -2.0.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. -2.0.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. -2.0.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. -2.0.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." -2.0.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata -2.0.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. -2.0.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. -2.0.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. -2.0.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. -2.0.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. -2.0.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. -2.0.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. -2.0.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. -2.0.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. -2.0.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. -2.0.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. -2.0.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information -2.0.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -2.0.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -2.0.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. -2.0.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions. -2.0.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. -2.0.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. -2.0.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" -2.0.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -2.0.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -2.0.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information -2.0.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias -2.0.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID -2.0.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name -2.0.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -2.0.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -2.0.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone -2.0.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. -2.0.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information -2.0.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias -2.0.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID -2.0.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name -2.0.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -2.0.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -2.0.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone -2.0.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. -2.0.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer -2.0.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. -2.0.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -2.0.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -2.0.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -2.0.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -2.0.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -2.0.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -2.0.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -2.0.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -2.0.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. -2.0.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. -2.0.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. -2.0.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. -2.0.0-dev,true,observer,observer.version,keyword,core,,,Observer version. -2.0.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. -2.0.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name. -2.0.0-dev,true,organization,organization.name.text,text,extended,,,Organization name. -2.0.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. -2.0.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information -2.0.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. -2.0.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. -2.0.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." -2.0.0-dev,true,package,package.installed,date,extended,,,Time when package was installed. -2.0.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license -2.0.0-dev,true,package,package.name,keyword,extended,,go,Package name -2.0.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. -2.0.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL -2.0.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. -2.0.0-dev,true,package,package.type,keyword,extended,,rpm,Package type -2.0.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version -2.0.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -2.0.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. -2.0.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -2.0.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -2.0.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -2.0.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -2.0.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -2.0.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -2.0.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -2.0.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -2.0.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. -2.0.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -2.0.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. -2.0.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. -2.0.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. -2.0.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. -2.0.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name. -2.0.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. -2.0.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -2.0.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. -2.0.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -2.0.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -2.0.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -2.0.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -2.0.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -2.0.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -2.0.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -2.0.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -2.0.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. -2.0.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -2.0.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. -2.0.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. -2.0.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. -2.0.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. -2.0.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name. -2.0.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. -2.0.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -2.0.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -2.0.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -2.0.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -2.0.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -2.0.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -2.0.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -2.0.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. -2.0.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. -2.0.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -2.0.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. -2.0.0-dev,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name. -2.0.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title. -2.0.0-dev,true,process,process.parent.title.text,text,extended,,,Process title. -2.0.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. -2.0.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. -2.0.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. -2.0.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -2.0.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -2.0.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -2.0.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -2.0.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -2.0.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -2.0.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -2.0.0-dev,true,process,process.pid,long,core,,4242,Process id. -2.0.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. -2.0.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -2.0.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. -2.0.0-dev,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name. -2.0.0-dev,true,process,process.title,wildcard,extended,,,Process title. -2.0.0-dev,true,process,process.title.text,text,extended,,,Process title. -2.0.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. -2.0.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. -2.0.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. -2.0.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -2.0.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -2.0.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -2.0.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -2.0.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -2.0.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -2.0.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. -2.0.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. -2.0.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. -2.0.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. -2.0.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event. -2.0.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author -2.0.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category -2.0.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description -2.0.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID -2.0.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license -2.0.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name -2.0.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL -2.0.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset -2.0.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID -2.0.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version -2.0.0-dev,true,server,server.address,keyword,extended,,,Server network address. -2.0.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -2.0.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. -2.0.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. -2.0.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. -2.0.0-dev,true,server,server.domain,wildcard,core,,,Server domain. -2.0.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev,true,server,server.ip,ip,core,,,IP address of the server. -2.0.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server. -2.0.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip -2.0.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port -2.0.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. -2.0.0-dev,true,server,server.port,long,core,,,Port of the server. -2.0.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." -2.0.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. -2.0.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,server,server.user.email,wildcard,extended,,,User email address. -2.0.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -2.0.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -2.0.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. -2.0.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. -2.0.0-dev,true,service,service.state,keyword,core,,,Current state of the service. -2.0.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service. -2.0.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. -2.0.0-dev,true,source,source.address,keyword,extended,,,Source network address. -2.0.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -2.0.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. -2.0.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. -2.0.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. -2.0.0-dev,true,source,source.domain,wildcard,core,,,Source domain. -2.0.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev,true,source,source.ip,ip,core,,,IP address of the source. -2.0.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source. -2.0.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip -2.0.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port -2.0.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. -2.0.0-dev,true,source,source.port,long,core,,,Port of the source. -2.0.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." -2.0.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. -2.0.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,source,source.user.email,wildcard,extended,,,User email address. -2.0.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. -2.0.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. -2.0.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. -2.0.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. -2.0.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. -2.0.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. -2.0.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. -2.0.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. -2.0.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. -2.0.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. -2.0.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. -2.0.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. -2.0.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. -2.0.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. -2.0.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. -2.0.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. -2.0.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. -2.0.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. -2.0.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. -2.0.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -2.0.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. -2.0.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. -2.0.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. -2.0.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. -2.0.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. -2.0.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. -2.0.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -2.0.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -2.0.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -2.0.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -2.0.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -2.0.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -2.0.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -2.0.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -2.0.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -2.0.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -2.0.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -2.0.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -2.0.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -2.0.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -2.0.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -2.0.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -2.0.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code -2.0.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -2.0.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -2.0.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -2.0.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -2.0.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. -2.0.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." -2.0.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -2.0.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. -2.0.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -2.0.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. -2.0.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. -2.0.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. -2.0.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. -2.0.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. -2.0.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. -2.0.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. -2.0.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. -2.0.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. -2.0.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. -2.0.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -2.0.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -2.0.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -2.0.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -2.0.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -2.0.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -2.0.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -2.0.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -2.0.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -2.0.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -2.0.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -2.0.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -2.0.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -2.0.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -2.0.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -2.0.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -2.0.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code -2.0.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -2.0.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -2.0.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -2.0.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -2.0.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. -2.0.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. -2.0.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. -2.0.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. -2.0.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. -2.0.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. -2.0.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url. -2.0.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. -2.0.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -2.0.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -2.0.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -2.0.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -2.0.0-dev,true,url,url.password,keyword,extended,,,Password of the request. -2.0.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -2.0.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." -2.0.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. -2.0.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -2.0.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. -2.0.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. -2.0.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev,true,url,url.username,keyword,extended,,,Username of the request. -2.0.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address. -2.0.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address. -2.0.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,user,user.email,wildcard,extended,,,User email address. -2.0.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,user,user.target.email,wildcard,extended,,,User email address. -2.0.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. -2.0.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. -2.0.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -2.0.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -2.0.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -2.0.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -2.0.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -2.0.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -2.0.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -2.0.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -2.0.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -2.0.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -2.0.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. -2.0.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. -2.0.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. -2.0.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. -2.0.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. -2.0.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. -2.0.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. -2.0.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. +2.0.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. +2.0.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. +2.0.0-dev+exp,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. +2.0.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. +2.0.0-dev+exp,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +2.0.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. +2.0.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +2.0.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +2.0.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. +2.0.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +2.0.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address. +2.0.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +2.0.0-dev+exp,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. +2.0.0-dev+exp,true,client,client.domain,wildcard,core,,,Client domain. +2.0.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client. +2.0.0-dev+exp,true,client,client.mac,keyword,core,,,MAC address of the client. +2.0.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address +2.0.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port +2.0.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server. +2.0.0-dev+exp,true,client,client.port,long,core,,,Port of the client. +2.0.0-dev+exp,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +2.0.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,client,client.user.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,client,client.user.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. +2.0.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. +2.0.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. +2.0.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +2.0.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. +2.0.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +2.0.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. +2.0.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. +2.0.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. +2.0.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. +2.0.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id. +2.0.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. +2.0.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags. +2.0.0-dev+exp,true,container,container.labels,object,extended,,,Image labels. +2.0.0-dev+exp,true,container,container.name,keyword,extended,,,Container name. +2.0.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. +2.0.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address. +2.0.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +2.0.0-dev+exp,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. +2.0.0-dev+exp,true,destination,destination.domain,wildcard,core,,,Destination domain. +2.0.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination. +2.0.0-dev+exp,true,destination,destination.mac,keyword,core,,,MAC address of the destination. +2.0.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip +2.0.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port +2.0.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. +2.0.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination. +2.0.0-dev+exp,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +2.0.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,destination,destination.user.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +2.0.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +2.0.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +2.0.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. +2.0.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +2.0.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. +2.0.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers. +2.0.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. +2.0.0-dev+exp,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. +2.0.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. +2.0.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. +2.0.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. +2.0.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. +2.0.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. +2.0.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. +2.0.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. +2.0.0-dev+exp,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. +2.0.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." +2.0.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. +2.0.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. +2.0.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data +2.0.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. +2.0.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." +2.0.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. +2.0.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error. +2.0.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error. +2.0.0-dev+exp,true,error,error.message,text,core,,,Error message. +2.0.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. +2.0.0-dev+exp,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. +2.0.0-dev+exp,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +2.0.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. +2.0.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +2.0.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event. +2.0.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +2.0.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. +2.0.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. +2.0.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. +2.0.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +2.0.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +2.0.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +2.0.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +2.0.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. +2.0.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +2.0.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +2.0.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event. +2.0.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +2.0.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +2.0.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +2.0.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +2.0.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event. +2.0.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event. +2.0.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. +2.0.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone. +2.0.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +2.0.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +2.0.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed. +2.0.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +2.0.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +2.0.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +2.0.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +2.0.0-dev+exp,true,file,file.created,date,extended,,,File creation time. +2.0.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. +2.0.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. +2.0.0-dev+exp,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. +2.0.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +2.0.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +2.0.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +2.0.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +2.0.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash. +2.0.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +2.0.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +2.0.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. +2.0.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified. +2.0.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +2.0.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username. +2.0.0-dev+exp,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev+exp,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes. +2.0.0-dev+exp,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. +2.0.0-dev+exp,true,file,file.target_path.text,text,extended,,,Target path for symlinks. +2.0.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +2.0.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +2.0.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +2.0.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +2.0.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +2.0.0-dev+exp,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +2.0.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +2.0.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +2.0.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +2.0.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +2.0.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +2.0.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +2.0.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +2.0.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +2.0.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +2.0.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +2.0.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +2.0.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +2.0.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code +2.0.0-dev+exp,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +2.0.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +2.0.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +2.0.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +2.0.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. +2.0.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +2.0.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +2.0.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,host,host.hostname,wildcard,core,,,Hostname of the host. +2.0.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id. +2.0.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses. +2.0.0-dev+exp,true,host,host.mac,keyword,core,array,,Host mac addresses. +2.0.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host. +2.0.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +2.0.0-dev+exp,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +2.0.0-dev+exp,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +2.0.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +2.0.0-dev+exp,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +2.0.0-dev+exp,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +2.0.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." +2.0.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +2.0.0-dev+exp,true,host,host.type,keyword,core,,,Type of host. +2.0.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. +2.0.0-dev+exp,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,host,host.user.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,host,host.user.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,host,host.user.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. +2.0.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. +2.0.0-dev+exp,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. +2.0.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +2.0.0-dev+exp,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. +2.0.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. +2.0.0-dev+exp,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. +2.0.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. +2.0.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. +2.0.0-dev+exp,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. +2.0.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +2.0.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. +2.0.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code. +2.0.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version. +2.0.0-dev+exp,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +2.0.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event. +2.0.0-dev+exp,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +2.0.0-dev+exp,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. +2.0.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. +2.0.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. +2.0.0-dev+exp,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." +2.0.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata +2.0.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. +2.0.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +2.0.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +2.0.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. +2.0.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +2.0.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name. +2.0.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. +2.0.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. +2.0.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. +2.0.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. +2.0.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. +2.0.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information +2.0.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +2.0.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +2.0.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. +2.0.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions. +2.0.0-dev+exp,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. +2.0.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. +2.0.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +2.0.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +2.0.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +2.0.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information +2.0.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias +2.0.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID +2.0.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name +2.0.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +2.0.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +2.0.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone +2.0.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. +2.0.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information +2.0.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias +2.0.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID +2.0.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name +2.0.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +2.0.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +2.0.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone +2.0.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. +2.0.0-dev+exp,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer +2.0.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +2.0.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +2.0.0-dev+exp,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +2.0.0-dev+exp,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +2.0.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +2.0.0-dev+exp,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +2.0.0-dev+exp,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +2.0.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." +2.0.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +2.0.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. +2.0.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. +2.0.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. +2.0.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. +2.0.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version. +2.0.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. +2.0.0-dev+exp,true,organization,organization.name,wildcard,extended,,,Organization name. +2.0.0-dev+exp,true,organization,organization.name.text,text,extended,,,Organization name. +2.0.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. +2.0.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information +2.0.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. +2.0.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. +2.0.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." +2.0.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed. +2.0.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license +2.0.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name +2.0.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. +2.0.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL +2.0.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes. +2.0.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type +2.0.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version +2.0.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +2.0.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. +2.0.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +2.0.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +2.0.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +2.0.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +2.0.0-dev+exp,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +2.0.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +2.0.0-dev+exp,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +2.0.0-dev+exp,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +2.0.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process. +2.0.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash. +2.0.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev+exp,true,process,process.name,wildcard,extended,,ssh,Process name. +2.0.0-dev+exp,true,process,process.name.text,text,extended,,ssh,Process name. +2.0.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +2.0.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +2.0.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +2.0.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +2.0.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +2.0.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +2.0.0-dev+exp,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +2.0.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +2.0.0-dev+exp,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +2.0.0-dev+exp,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +2.0.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. +2.0.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. +2.0.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev+exp,true,process,process.parent.name,wildcard,extended,,ssh,Process name. +2.0.0-dev+exp,true,process,process.parent.name.text,text,extended,,ssh,Process name. +2.0.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +2.0.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id. +2.0.0-dev+exp,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. +2.0.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +2.0.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. +2.0.0-dev+exp,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name. +2.0.0-dev+exp,true,process,process.parent.title,wildcard,extended,,,Process title. +2.0.0-dev+exp,true,process,process.parent.title.text,text,extended,,,Process title. +2.0.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. +2.0.0-dev+exp,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +2.0.0-dev+exp,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. +2.0.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +2.0.0-dev+exp,true,process,process.pid,long,core,,4242,Process id. +2.0.0-dev+exp,true,process,process.ppid,long,extended,,4241,Parent process' pid. +2.0.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +2.0.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID. +2.0.0-dev+exp,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name. +2.0.0-dev+exp,true,process,process.title,wildcard,extended,,,Process title. +2.0.0-dev+exp,true,process,process.title.text,text,extended,,,Process title. +2.0.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. +2.0.0-dev+exp,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +2.0.0-dev+exp,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. +2.0.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +2.0.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +2.0.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +2.0.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +2.0.0-dev+exp,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +2.0.0-dev+exp,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +2.0.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +2.0.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. +2.0.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. +2.0.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. +2.0.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names seen on your event. +2.0.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author +2.0.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category +2.0.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description +2.0.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID +2.0.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license +2.0.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name +2.0.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL +2.0.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset +2.0.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID +2.0.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version +2.0.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address. +2.0.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +2.0.0-dev+exp,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. +2.0.0-dev+exp,true,server,server.domain,wildcard,core,,,Server domain. +2.0.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server. +2.0.0-dev+exp,true,server,server.mac,keyword,core,,,MAC address of the server. +2.0.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip +2.0.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port +2.0.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client. +2.0.0-dev+exp,true,server,server.port,long,core,,,Port of the server. +2.0.0-dev+exp,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +2.0.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,server,server.user.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,server,server.user.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +2.0.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +2.0.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. +2.0.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. +2.0.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service. +2.0.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service. +2.0.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service. +2.0.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address. +2.0.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +2.0.0-dev+exp,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. +2.0.0-dev+exp,true,source,source.domain,wildcard,core,,,Source domain. +2.0.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source. +2.0.0-dev+exp,true,source,source.mac,keyword,core,,,MAC address of the source. +2.0.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip +2.0.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port +2.0.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. +2.0.0-dev+exp,true,source,source.port,long,core,,,Port of the source. +2.0.0-dev+exp,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +2.0.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,source,source.user.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,source,source.user.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. +2.0.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +2.0.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. +2.0.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. +2.0.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. +2.0.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. +2.0.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. +2.0.0-dev+exp,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. +2.0.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. +2.0.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. +2.0.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. +2.0.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. +2.0.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. +2.0.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. +2.0.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. +2.0.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. +2.0.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. +2.0.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. +2.0.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. +2.0.0-dev+exp,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +2.0.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. +2.0.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. +2.0.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. +2.0.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. +2.0.0-dev+exp,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +2.0.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. +2.0.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +2.0.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +2.0.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +2.0.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +2.0.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +2.0.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +2.0.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +2.0.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +2.0.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +2.0.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code +2.0.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +2.0.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +2.0.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +2.0.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +2.0.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. +2.0.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." +2.0.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +2.0.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. +2.0.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +2.0.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. +2.0.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. +2.0.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. +2.0.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. +2.0.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. +2.0.0-dev+exp,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +2.0.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. +2.0.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. +2.0.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. +2.0.0-dev+exp,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +2.0.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +2.0.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +2.0.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +2.0.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +2.0.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +2.0.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +2.0.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +2.0.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +2.0.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +2.0.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code +2.0.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +2.0.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +2.0.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +2.0.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +2.0.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. +2.0.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. +2.0.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. +2.0.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. +2.0.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. +2.0.0-dev+exp,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. +2.0.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +2.0.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. +2.0.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +2.0.0-dev+exp,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +2.0.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +2.0.0-dev+exp,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +2.0.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request. +2.0.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +2.0.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443." +2.0.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request. +2.0.0-dev+exp,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +2.0.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +2.0.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request. +2.0.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,user,user.changes.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,user,user.effective.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,user,user.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,user,user.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,user,user.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,user,user.target.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,user,user.target.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. +2.0.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. +2.0.0-dev+exp,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +2.0.0-dev+exp,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +2.0.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +2.0.0-dev+exp,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +2.0.0-dev+exp,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +2.0.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +2.0.0-dev+exp,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +2.0.0-dev+exp,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +2.0.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." +2.0.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +2.0.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. +2.0.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. +2.0.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. +2.0.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. +2.0.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. +2.0.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. +2.0.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. +2.0.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 3989959f19..0c6e8374cf 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -18,6 +18,8 @@ short: Date/time when the event originated. type: date agent.build.original: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: agent-build-original description: 'Extended build information for the agent. @@ -128,6 +130,8 @@ client.as.number: short: Unique number allocated to the autonomous system. type: long client.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-as-organization-name description: Organization name. example: Google LLC @@ -155,6 +159,8 @@ client.bytes: short: Bytes sent from the client to the server. type: long client.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-domain description: Client domain. flat_name: client.domain @@ -223,6 +229,8 @@ client.geo.location: short: Longitude and latitude. type: geo_point client.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -328,6 +336,8 @@ client.port: short: Port of the client. type: long client.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-registered-domain description: 'The highest registered client domain, stripped of the subdomain. @@ -392,6 +402,8 @@ client.user.domain: short: Name of the directory the user is a member of. type: keyword client.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-user-email description: User email address. flat_name: client.user.email @@ -402,6 +414,8 @@ client.user.email: short: User email address. type: wildcard client.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-user-full-name description: User's full name, if available. example: Albert Einstein @@ -479,6 +493,8 @@ client.user.id: short: Unique identifier of the user. type: keyword client.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-user-name description: Short name or login of the user. example: albert @@ -717,6 +733,8 @@ destination.as.number: short: Unique number allocated to the autonomous system. type: long destination.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-as-organization-name description: Organization name. example: Google LLC @@ -744,6 +762,8 @@ destination.bytes: short: Bytes sent from the destination to the source. type: long destination.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-domain description: Destination domain. flat_name: destination.domain @@ -812,6 +832,8 @@ destination.geo.location: short: Longitude and latitude. type: geo_point destination.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -916,6 +938,8 @@ destination.port: short: Port of the destination. type: long destination.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-registered-domain description: 'The highest registered destination domain, stripped of the subdomain. @@ -980,6 +1004,8 @@ destination.user.domain: short: Name of the directory the user is a member of. type: keyword destination.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-user-email description: User email address. flat_name: destination.user.email @@ -990,6 +1016,8 @@ destination.user.email: short: User email address. type: wildcard destination.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-user-full-name description: User's full name, if available. example: Albert Einstein @@ -1067,6 +1095,8 @@ destination.user.id: short: Unique identifier of the user. type: keyword destination.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-user-name description: Short name or login of the user. example: albert @@ -1296,6 +1326,8 @@ dll.pe.imphash: short: A hash of the imports in a PE file. type: keyword dll.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -1349,6 +1381,8 @@ dns.answers.class: short: The class of DNS data contained in this resource record. type: keyword dns.answers.data: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: dns-answers-data description: 'The data describing the resource. @@ -1449,6 +1483,8 @@ dns.question.class: short: The class of records being queried. type: keyword dns.question.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: dns-question-name description: 'The name being queried. @@ -1615,11 +1651,11 @@ error.message: short: Error message. type: text error.stack_trace: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: error-stack-trace description: The stack trace of this error in plain text. - doc_values: false flat_name: error.stack_trace - index: false level: extended multi_fields: - flat_name: error.stack_trace.text @@ -1631,6 +1667,8 @@ error.stack_trace: short: The stack trace of this error in plain text. type: wildcard error.type: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: error-type description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException @@ -2517,6 +2555,8 @@ file.device: short: Device that is the source of the file. type: keyword file.directory: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. @@ -2688,6 +2728,8 @@ file.owner: short: File owner's username. type: keyword file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. @@ -2768,6 +2810,8 @@ file.pe.imphash: short: A hash of the imports in a PE file. type: keyword file.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -2803,6 +2847,8 @@ file.size: short: File size in bytes. type: long file.target_path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-target-path description: Target path for symlinks. flat_name: file.target_path @@ -2880,6 +2926,8 @@ file.x509.issuer.country: short: List of country (C) codes type: keyword file.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -3069,6 +3117,8 @@ file.x509.subject.country: short: List of country (C) code type: keyword file.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -3259,6 +3309,8 @@ host.geo.location: short: Longitude and latitude. type: geo_point host.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3300,6 +3352,8 @@ host.geo.region_name: short: Region name. type: keyword host.hostname: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-hostname description: 'Hostname of the host. @@ -3371,6 +3425,8 @@ host.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword host.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -3399,6 +3455,8 @@ host.os.kernel: short: Operating system kernel version as a raw string. type: keyword host.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X @@ -3494,6 +3552,8 @@ host.user.domain: short: Name of the directory the user is a member of. type: keyword host.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-user-email description: User email address. flat_name: host.user.email @@ -3504,6 +3564,8 @@ host.user.email: short: User email address. type: wildcard host.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-user-full-name description: User's full name, if available. example: Albert Einstein @@ -3581,6 +3643,8 @@ host.user.id: short: Unique identifier of the user. type: keyword host.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-user-name description: Short name or login of the user. example: albert @@ -3621,6 +3685,8 @@ http.request.body.bytes: short: Size in bytes of the request body. type: long http.request.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: http-request-body-content description: The full HTTP request body. example: Hello world @@ -3680,6 +3746,8 @@ http.request.mime_type: short: Mime type of the body of the request. type: keyword http.request.referrer: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: http-request-referrer description: Referrer for this HTTP request. example: https://blog.example.com/ @@ -3701,6 +3769,8 @@ http.response.body.bytes: short: Size in bytes of the response body. type: long http.response.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: http-response-body-content description: The full HTTP response body. example: Hello world @@ -3780,6 +3850,8 @@ labels: short: Custom key/value pairs. type: object log.file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: log-file-path description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -3810,6 +3882,8 @@ log.level: short: Log level of the log event. type: keyword log.logger: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: log-logger description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. @@ -4340,6 +4414,8 @@ observer.geo.location: short: Longitude and latitude. type: geo_point observer.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: observer-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -4526,6 +4602,8 @@ observer.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword observer.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: observer-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -4554,6 +4632,8 @@ observer.os.kernel: short: Operating system kernel version as a raw string. type: keyword observer.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: observer-os-name description: Operating system name, without the version. example: Mac OS X @@ -4679,6 +4759,8 @@ organization.id: short: Unique identifier for the organization. type: keyword organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: organization-name description: Organization name. flat_name: organization.name @@ -4939,6 +5021,8 @@ process.code_signature.valid: content. type: boolean process.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -4976,6 +5060,8 @@ process.entity_id: short: Unique identifier for the process. type: keyword process.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -5048,6 +5134,8 @@ process.hash.sha512: short: SHA512 hash. type: keyword process.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-name description: 'Process name. @@ -5164,6 +5252,8 @@ process.parent.code_signature.valid: content. type: boolean process.parent.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -5203,6 +5293,8 @@ process.parent.entity_id: short: Unique identifier for the process. type: keyword process.parent.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -5277,6 +5369,8 @@ process.parent.hash.sha512: short: SHA512 hash. type: keyword process.parent.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-name description: 'Process name. @@ -5359,6 +5453,8 @@ process.parent.pe.imphash: short: A hash of the imports in a PE file. type: keyword process.parent.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -5440,6 +5536,8 @@ process.parent.thread.id: short: Thread ID. type: long process.parent.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-thread-name description: Thread name. example: thread-0 @@ -5451,6 +5549,8 @@ process.parent.thread.name: short: Thread name. type: wildcard process.parent.title: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-title description: 'Process title. @@ -5480,6 +5580,8 @@ process.parent.uptime: short: Seconds the process has been up. type: long process.parent.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice @@ -5560,6 +5662,8 @@ process.pe.imphash: short: A hash of the imports in a PE file. type: keyword process.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -5636,6 +5740,8 @@ process.thread.id: short: Thread ID. type: long process.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-thread-name description: Thread name. example: thread-0 @@ -5646,6 +5752,8 @@ process.thread.name: short: Thread name. type: wildcard process.title: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-title description: 'Process title. @@ -5673,6 +5781,8 @@ process.uptime: short: Seconds the process has been up. type: long process.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-working-directory description: The working directory of the process. example: /home/alice @@ -5703,6 +5813,8 @@ registry.data.bytes: short: Original bytes written with base64 encoding. type: keyword registry.data.strings: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: registry-data-strings description: 'Content when writing string types. @@ -5742,6 +5854,8 @@ registry.hive: short: Abbreviated name for the hive. type: keyword registry.key: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -5752,6 +5866,8 @@ registry.key: short: Hive-relative path of keys. type: wildcard registry.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution @@ -5969,6 +6085,8 @@ server.as.number: short: Unique number allocated to the autonomous system. type: long server.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-as-organization-name description: Organization name. example: Google LLC @@ -5996,6 +6114,8 @@ server.bytes: short: Bytes sent from the server to the client. type: long server.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-domain description: Server domain. flat_name: server.domain @@ -6064,6 +6184,8 @@ server.geo.location: short: Longitude and latitude. type: geo_point server.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -6169,6 +6291,8 @@ server.port: short: Port of the server. type: long server.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-registered-domain description: 'The highest registered server domain, stripped of the subdomain. @@ -6233,6 +6357,8 @@ server.user.domain: short: Name of the directory the user is a member of. type: keyword server.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-user-email description: User email address. flat_name: server.user.email @@ -6243,6 +6369,8 @@ server.user.email: short: User email address. type: wildcard server.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-user-full-name description: User's full name, if available. example: Albert Einstein @@ -6320,6 +6448,8 @@ server.user.id: short: Unique identifier of the user. type: keyword server.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-user-name description: Short name or login of the user. example: albert @@ -6488,6 +6618,8 @@ source.as.number: short: Unique number allocated to the autonomous system. type: long source.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-as-organization-name description: Organization name. example: Google LLC @@ -6515,6 +6647,8 @@ source.bytes: short: Bytes sent from the source to the destination. type: long source.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-domain description: Source domain. flat_name: source.domain @@ -6583,6 +6717,8 @@ source.geo.location: short: Longitude and latitude. type: geo_point source.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -6688,6 +6824,8 @@ source.port: short: Port of the source. type: long source.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-registered-domain description: 'The highest registered source domain, stripped of the subdomain. @@ -6752,6 +6890,8 @@ source.user.domain: short: Name of the directory the user is a member of. type: keyword source.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-user-email description: User email address. flat_name: source.user.email @@ -6762,6 +6902,8 @@ source.user.email: short: User email address. type: wildcard source.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-user-full-name description: User's full name, if available. example: Albert Einstein @@ -6839,6 +6981,8 @@ source.user.id: short: Unique identifier of the user. type: keyword source.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-user-name description: Short name or login of the user. example: albert @@ -7117,6 +7261,8 @@ tls.client.hash.sha256: certificate offered by the client. type: keyword tls.client.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-issuer description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. @@ -7175,6 +7321,8 @@ tls.client.server_name: short: Hostname the client is trying to connect to. Also called the SNI. type: keyword tls.client.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-subject description: Distinguished name of subject of the x.509 certificate presented by the client. @@ -7240,6 +7388,8 @@ tls.client.x509.issuer.country: short: List of country (C) codes type: keyword tls.client.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -7429,6 +7579,8 @@ tls.client.x509.subject.country: short: List of country (C) code type: keyword tls.client.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -7619,6 +7771,8 @@ tls.server.hash.sha256: certificate offered by the server. type: keyword tls.server.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-issuer description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -7662,6 +7816,8 @@ tls.server.not_before: short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-subject description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com @@ -7713,6 +7869,8 @@ tls.server.x509.issuer.country: short: List of country (C) codes type: keyword tls.server.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -7902,6 +8060,8 @@ tls.server.x509.subject.country: short: List of country (C) code type: keyword tls.server.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -8026,6 +8186,8 @@ transaction.id: short: Unique identifier of the transaction within the scope of its trace. type: keyword url.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-domain description: 'Domain of the url, such as "www.elastic.co". @@ -8074,6 +8236,8 @@ url.fragment: short: Portion of the url after the `#`. type: keyword url.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. @@ -8090,6 +8254,8 @@ url.full: short: Full unparsed URL. type: wildcard url.original: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -8120,6 +8286,8 @@ url.password: short: Password of the request. type: keyword url.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path @@ -8156,6 +8324,8 @@ url.query: short: Query string of the request. type: keyword url.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. @@ -8243,6 +8413,8 @@ user.changes.domain: short: Name of the directory the user is a member of. type: keyword user.changes.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-changes-email description: User email address. flat_name: user.changes.email @@ -8253,6 +8425,8 @@ user.changes.email: short: User email address. type: wildcard user.changes.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-changes-full-name description: User's full name, if available. example: Albert Einstein @@ -8330,6 +8504,8 @@ user.changes.id: short: Unique identifier of the user. type: keyword user.changes.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-changes-name description: Short name or login of the user. example: albert @@ -8384,6 +8560,8 @@ user.effective.domain: short: Name of the directory the user is a member of. type: keyword user.effective.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-effective-email description: User email address. flat_name: user.effective.email @@ -8394,6 +8572,8 @@ user.effective.email: short: User email address. type: wildcard user.effective.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-effective-full-name description: User's full name, if available. example: Albert Einstein @@ -8471,6 +8651,8 @@ user.effective.id: short: Unique identifier of the user. type: keyword user.effective.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-effective-name description: Short name or login of the user. example: albert @@ -8500,6 +8682,8 @@ user.effective.roles: short: Array of user roles at the time of the event. type: keyword user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-email description: User email address. flat_name: user.email @@ -8509,6 +8693,8 @@ user.email: short: User email address. type: wildcard user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-full-name description: User's full name, if available. example: Albert Einstein @@ -8583,6 +8769,8 @@ user.id: short: Unique identifier of the user. type: keyword user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-name description: Short name or login of the user. example: albert @@ -8623,6 +8811,8 @@ user.target.domain: short: Name of the directory the user is a member of. type: keyword user.target.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-target-email description: User email address. flat_name: user.target.email @@ -8633,6 +8823,8 @@ user.target.email: short: User email address. type: wildcard user.target.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-target-full-name description: User's full name, if available. example: Albert Einstein @@ -8710,6 +8902,8 @@ user.target.id: short: Unique identifier of the user. type: keyword user.target.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-target-name description: Short name or login of the user. example: albert @@ -8761,6 +8955,8 @@ user_agent.name: short: Name of the user agent. type: keyword user_agent.original: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-agent-original description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 @@ -8789,6 +8985,8 @@ user_agent.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword user_agent.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-agent-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -8817,6 +9015,8 @@ user_agent.os.kernel: short: Operating system kernel version as a raw string. type: keyword user_agent.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-agent-os-name description: Operating system name, without the version. example: Mac OS X diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 4ce293b37a..36315f8d6c 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -8,6 +8,8 @@ agent: event happened or the measurement was taken.' fields: agent.build.original: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: agent-build-original description: 'Extended build information for the agent. @@ -118,6 +120,8 @@ as: short: Unique number allocated to the autonomous system. type: long as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: as-organization-name description: Organization name. example: Google LLC @@ -273,6 +277,8 @@ client: short: Unique number allocated to the autonomous system. type: long client.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-as-organization-name description: Organization name. example: Google LLC @@ -300,6 +306,8 @@ client: short: Bytes sent from the client to the server. type: long client.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-domain description: Client domain. flat_name: client.domain @@ -368,6 +376,8 @@ client: short: Longitude and latitude. type: geo_point client.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -473,6 +483,8 @@ client: short: Port of the client. type: long client.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-registered-domain description: 'The highest registered client domain, stripped of the subdomain. @@ -537,6 +549,8 @@ client: short: Name of the directory the user is a member of. type: keyword client.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-user-email description: User email address. flat_name: client.user.email @@ -547,6 +561,8 @@ client: short: User email address. type: wildcard client.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-user-full-name description: User's full name, if available. example: Albert Einstein @@ -624,6 +640,8 @@ client: short: Unique identifier of the user. type: keyword client.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-user-name description: Short name or login of the user. example: albert @@ -1004,6 +1022,8 @@ destination: short: Unique number allocated to the autonomous system. type: long destination.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-as-organization-name description: Organization name. example: Google LLC @@ -1031,6 +1051,8 @@ destination: short: Bytes sent from the destination to the source. type: long destination.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-domain description: Destination domain. flat_name: destination.domain @@ -1099,6 +1121,8 @@ destination: short: Longitude and latitude. type: geo_point destination.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -1203,6 +1227,8 @@ destination: short: Port of the destination. type: long destination.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-registered-domain description: 'The highest registered destination domain, stripped of the subdomain. @@ -1267,6 +1293,8 @@ destination: short: Name of the directory the user is a member of. type: keyword destination.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-user-email description: User email address. flat_name: destination.user.email @@ -1277,6 +1305,8 @@ destination: short: User email address. type: wildcard destination.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-user-full-name description: User's full name, if available. example: Albert Einstein @@ -1354,6 +1384,8 @@ destination: short: Unique identifier of the user. type: keyword destination.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-user-name description: Short name or login of the user. example: albert @@ -1617,6 +1649,8 @@ dll: short: A hash of the imports in a PE file. type: keyword dll.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -1698,6 +1732,8 @@ dns: short: The class of DNS data contained in this resource record. type: keyword dns.answers.data: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: dns-answers-data description: 'The data describing the resource. @@ -1800,6 +1836,8 @@ dns: short: The class of records being queried. type: keyword dns.question.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: dns-question-name description: 'The name being queried. @@ -1987,11 +2025,11 @@ error: short: Error message. type: text error.stack_trace: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: error-stack-trace description: The stack trace of this error in plain text. - doc_values: false flat_name: error.stack_trace - index: false level: extended multi_fields: - flat_name: error.stack_trace.text @@ -2003,6 +2041,8 @@ error: short: The stack trace of this error in plain text. type: wildcard error.type: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: error-type description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException @@ -2940,6 +2980,8 @@ file: short: Device that is the source of the file. type: keyword file.directory: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. @@ -3111,6 +3153,8 @@ file: short: File owner's username. type: keyword file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. @@ -3191,6 +3235,8 @@ file: short: A hash of the imports in a PE file. type: keyword file.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -3226,6 +3272,8 @@ file: short: File size in bytes. type: long file.target_path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-target-path description: Target path for symlinks. flat_name: file.target_path @@ -3303,6 +3351,8 @@ file: short: List of country (C) codes type: keyword file.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -3492,6 +3542,8 @@ file: short: List of country (C) code type: keyword file.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -3651,6 +3703,8 @@ geo: short: Longitude and latitude. type: geo_point geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3921,6 +3975,8 @@ host: short: Longitude and latitude. type: geo_point host.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3962,6 +4018,8 @@ host: short: Region name. type: keyword host.hostname: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-hostname description: 'Hostname of the host. @@ -4034,6 +4092,8 @@ host: short: OS family (such as redhat, debian, freebsd, windows). type: keyword host.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -4062,6 +4122,8 @@ host: short: Operating system kernel version as a raw string. type: keyword host.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X @@ -4159,6 +4221,8 @@ host: short: Name of the directory the user is a member of. type: keyword host.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-user-email description: User email address. flat_name: host.user.email @@ -4169,6 +4233,8 @@ host: short: User email address. type: wildcard host.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-user-full-name description: User's full name, if available. example: Albert Einstein @@ -4246,6 +4312,8 @@ host: short: Unique identifier of the user. type: keyword host.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-user-name description: Short name or login of the user. example: albert @@ -4310,6 +4378,8 @@ http: short: Size in bytes of the request body. type: long http.request.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: http-request-body-content description: The full HTTP request body. example: Hello world @@ -4371,6 +4441,8 @@ http: short: Mime type of the body of the request. type: keyword http.request.referrer: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: http-request-referrer description: Referrer for this HTTP request. example: https://blog.example.com/ @@ -4392,6 +4464,8 @@ http: short: Size in bytes of the response body. type: long http.response.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: http-response-body-content description: The full HTTP response body. example: Hello world @@ -4529,6 +4603,8 @@ log: but rather in `event.*` or in other ECS fields.' fields: log.file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: log-file-path description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -4559,6 +4635,8 @@ log: short: Log level of the log event. type: keyword log.logger: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: log-logger description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. @@ -5120,6 +5198,8 @@ observer: short: Longitude and latitude. type: geo_point observer.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: observer-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -5307,6 +5387,8 @@ observer: short: OS family (such as redhat, debian, freebsd, windows). type: keyword observer.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: observer-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -5335,6 +5417,8 @@ observer: short: Operating system kernel version as a raw string. type: keyword observer.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: observer-os-name description: Operating system name, without the version. example: Mac OS X @@ -5500,6 +5584,8 @@ organization: short: Unique identifier for the organization. type: keyword organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: organization-name description: Organization name. flat_name: organization.name @@ -5534,6 +5620,8 @@ os: short: OS family (such as redhat, debian, freebsd, windows). type: keyword os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -5560,6 +5648,8 @@ os: short: Operating system kernel version as a raw string. type: keyword os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: os-name description: Operating system name, without the version. example: Mac OS X @@ -5859,6 +5949,8 @@ pe: short: A hash of the imports in a PE file. type: keyword pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -6002,6 +6094,8 @@ process: content. type: boolean process.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -6039,6 +6133,8 @@ process: short: Unique identifier for the process. type: keyword process.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -6111,6 +6207,8 @@ process: short: SHA512 hash. type: keyword process.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-name description: 'Process name. @@ -6227,6 +6325,8 @@ process: content. type: boolean process.parent.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -6266,6 +6366,8 @@ process: short: Unique identifier for the process. type: keyword process.parent.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -6340,6 +6442,8 @@ process: short: SHA512 hash. type: keyword process.parent.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-name description: 'Process name. @@ -6422,6 +6526,8 @@ process: short: A hash of the imports in a PE file. type: keyword process.parent.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -6503,6 +6609,8 @@ process: short: Thread ID. type: long process.parent.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-thread-name description: Thread name. example: thread-0 @@ -6514,6 +6622,8 @@ process: short: Thread name. type: wildcard process.parent.title: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-title description: 'Process title. @@ -6543,6 +6653,8 @@ process: short: Seconds the process has been up. type: long process.parent.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice @@ -6623,6 +6735,8 @@ process: short: A hash of the imports in a PE file. type: keyword process.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -6699,6 +6813,8 @@ process: short: Thread ID. type: long process.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-thread-name description: Thread name. example: thread-0 @@ -6709,6 +6825,8 @@ process: short: Thread name. type: wildcard process.title: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-title description: 'Process title. @@ -6736,6 +6854,8 @@ process: short: Seconds the process has been up. type: long process.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-working-directory description: The working directory of the process. example: /home/alice @@ -6799,6 +6919,8 @@ registry: short: Original bytes written with base64 encoding. type: keyword registry.data.strings: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: registry-data-strings description: 'Content when writing string types. @@ -6838,6 +6960,8 @@ registry: short: Abbreviated name for the hive. type: keyword registry.key: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -6848,6 +6972,8 @@ registry: short: Hive-relative path of keys. type: wildcard registry.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution @@ -7122,6 +7248,8 @@ server: short: Unique number allocated to the autonomous system. type: long server.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-as-organization-name description: Organization name. example: Google LLC @@ -7149,6 +7277,8 @@ server: short: Bytes sent from the server to the client. type: long server.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-domain description: Server domain. flat_name: server.domain @@ -7217,6 +7347,8 @@ server: short: Longitude and latitude. type: geo_point server.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -7322,6 +7454,8 @@ server: short: Port of the server. type: long server.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-registered-domain description: 'The highest registered server domain, stripped of the subdomain. @@ -7386,6 +7520,8 @@ server: short: Name of the directory the user is a member of. type: keyword server.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-user-email description: User email address. flat_name: server.user.email @@ -7396,6 +7532,8 @@ server: short: User email address. type: wildcard server.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-user-full-name description: User's full name, if available. example: Albert Einstein @@ -7473,6 +7611,8 @@ server: short: Unique identifier of the user. type: keyword server.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-user-name description: Short name or login of the user. example: albert @@ -7685,6 +7825,8 @@ source: short: Unique number allocated to the autonomous system. type: long source.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-as-organization-name description: Organization name. example: Google LLC @@ -7712,6 +7854,8 @@ source: short: Bytes sent from the source to the destination. type: long source.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-domain description: Source domain. flat_name: source.domain @@ -7780,6 +7924,8 @@ source: short: Longitude and latitude. type: geo_point source.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -7885,6 +8031,8 @@ source: short: Port of the source. type: long source.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-registered-domain description: 'The highest registered source domain, stripped of the subdomain. @@ -7949,6 +8097,8 @@ source: short: Name of the directory the user is a member of. type: keyword source.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-user-email description: User email address. flat_name: source.user.email @@ -7959,6 +8109,8 @@ source: short: User email address. type: wildcard source.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-user-full-name description: User's full name, if available. example: Albert Einstein @@ -8036,6 +8188,8 @@ source: short: Unique identifier of the user. type: keyword source.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-user-name description: Short name or login of the user. example: albert @@ -8328,6 +8482,8 @@ tls: of certificate offered by the client. type: keyword tls.client.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-issuer description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. @@ -8388,6 +8544,8 @@ tls: short: Hostname the client is trying to connect to. Also called the SNI. type: keyword tls.client.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-subject description: Distinguished name of subject of the x.509 certificate presented by the client. @@ -8454,6 +8612,8 @@ tls: short: List of country (C) codes type: keyword tls.client.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -8643,6 +8803,8 @@ tls: short: List of country (C) code type: keyword tls.client.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -8833,6 +8995,8 @@ tls: of certificate offered by the server. type: keyword tls.server.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-issuer description: Subject of the issuer of the x.509 certificate presented by the server. @@ -8879,6 +9043,8 @@ tls: short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-subject description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com @@ -8930,6 +9096,8 @@ tls: short: List of country (C) codes type: keyword tls.server.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -9119,6 +9287,8 @@ tls: short: List of country (C) code type: keyword tls.server.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -9294,6 +9464,8 @@ url: the breaking down into scheme, domain, path, and so on. fields: url.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-domain description: 'Domain of the url, such as "www.elastic.co". @@ -9343,6 +9515,8 @@ url: short: Portion of the url after the `#`. type: keyword url.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event @@ -9360,6 +9534,8 @@ url: short: Full unparsed URL. type: wildcard url.original: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -9390,6 +9566,8 @@ url: short: Password of the request. type: keyword url.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path @@ -9426,6 +9604,8 @@ url: short: Query string of the request. type: keyword url.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. @@ -9526,6 +9706,8 @@ user: short: Name of the directory the user is a member of. type: keyword user.changes.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-changes-email description: User email address. flat_name: user.changes.email @@ -9536,6 +9718,8 @@ user: short: User email address. type: wildcard user.changes.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-changes-full-name description: User's full name, if available. example: Albert Einstein @@ -9613,6 +9797,8 @@ user: short: Unique identifier of the user. type: keyword user.changes.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-changes-name description: Short name or login of the user. example: albert @@ -9667,6 +9853,8 @@ user: short: Name of the directory the user is a member of. type: keyword user.effective.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-effective-email description: User email address. flat_name: user.effective.email @@ -9677,6 +9865,8 @@ user: short: User email address. type: wildcard user.effective.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-effective-full-name description: User's full name, if available. example: Albert Einstein @@ -9754,6 +9944,8 @@ user: short: Unique identifier of the user. type: keyword user.effective.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-effective-name description: Short name or login of the user. example: albert @@ -9783,6 +9975,8 @@ user: short: Array of user roles at the time of the event. type: keyword user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-email description: User email address. flat_name: user.email @@ -9792,6 +9986,8 @@ user: short: User email address. type: wildcard user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-full-name description: User's full name, if available. example: Albert Einstein @@ -9866,6 +10062,8 @@ user: short: Unique identifier of the user. type: keyword user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-name description: Short name or login of the user. example: albert @@ -9906,6 +10104,8 @@ user: short: Name of the directory the user is a member of. type: keyword user.target.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-target-email description: User email address. flat_name: user.target.email @@ -9916,6 +10116,8 @@ user: short: User email address. type: wildcard user.target.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-target-full-name description: User's full name, if available. example: Albert Einstein @@ -9993,6 +10195,8 @@ user: short: Unique identifier of the user. type: keyword user.target.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-target-name description: Short name or login of the user. example: albert @@ -10100,6 +10304,8 @@ user_agent: short: Name of the user agent. type: keyword user_agent.original: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-agent-original description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 @@ -10128,6 +10334,8 @@ user_agent: short: OS family (such as redhat, debian, freebsd, windows). type: keyword user_agent.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-agent-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -10156,6 +10364,8 @@ user_agent: short: Operating system kernel version as a raw string. type: keyword user_agent.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-agent-os-name description: Operating system name, without the version. example: Mac OS X @@ -10536,6 +10746,8 @@ x509: short: List of country (C) codes type: keyword x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -10710,6 +10922,8 @@ x509: short: List of country (C) code type: keyword x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 9f79732b30..0bfd44d084 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -646,14 +646,12 @@ "type": "text" }, "stack_trace": { - "doc_values": false, "fields": { "text": { "norms": false, "type": "text" } }, - "index": false, "type": "wildcard" }, "type": { diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 86ae3a2cb4..b304b8aab3 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1173,7 +1173,6 @@ norms: false default_field: false description: The stack trace of this error in plain text. - index: false - name: type level: extended type: wildcard diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index a266a8460c..f2cbea1b3c 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -135,8 +135,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. 2.0.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. 2.0.0-dev,true,error,error.message,text,core,,,Error message. -2.0.0-dev,false,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. -2.0.0-dev,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. +2.0.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. +2.0.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. 2.0.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." 2.0.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. 2.0.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. @@ -631,7 +631,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. 2.0.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. 2.0.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. -2.0.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url. +2.0.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." 2.0.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. 2.0.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. 2.0.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 13b5a5920c..c29b3947f3 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -18,6 +18,8 @@ short: Date/time when the event originated. type: date agent.build.original: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: agent-build-original description: 'Extended build information for the agent. @@ -128,6 +130,8 @@ client.as.number: short: Unique number allocated to the autonomous system. type: long client.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-as-organization-name description: Organization name. example: Google LLC @@ -155,6 +159,8 @@ client.bytes: short: Bytes sent from the client to the server. type: long client.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-domain description: Client domain. flat_name: client.domain @@ -223,6 +229,8 @@ client.geo.location: short: Longitude and latitude. type: geo_point client.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -328,6 +336,8 @@ client.port: short: Port of the client. type: long client.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-registered-domain description: 'The highest registered client domain, stripped of the subdomain. @@ -392,6 +402,8 @@ client.user.domain: short: Name of the directory the user is a member of. type: keyword client.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-user-email description: User email address. flat_name: client.user.email @@ -402,6 +414,8 @@ client.user.email: short: User email address. type: wildcard client.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-user-full-name description: User's full name, if available. example: Albert Einstein @@ -479,6 +493,8 @@ client.user.id: short: Unique identifier of the user. type: keyword client.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: client-user-name description: Short name or login of the user. example: albert @@ -717,6 +733,8 @@ destination.as.number: short: Unique number allocated to the autonomous system. type: long destination.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-as-organization-name description: Organization name. example: Google LLC @@ -744,6 +762,8 @@ destination.bytes: short: Bytes sent from the destination to the source. type: long destination.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-domain description: Destination domain. flat_name: destination.domain @@ -812,6 +832,8 @@ destination.geo.location: short: Longitude and latitude. type: geo_point destination.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -916,6 +938,8 @@ destination.port: short: Port of the destination. type: long destination.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-registered-domain description: 'The highest registered destination domain, stripped of the subdomain. @@ -980,6 +1004,8 @@ destination.user.domain: short: Name of the directory the user is a member of. type: keyword destination.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-user-email description: User email address. flat_name: destination.user.email @@ -990,6 +1016,8 @@ destination.user.email: short: User email address. type: wildcard destination.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-user-full-name description: User's full name, if available. example: Albert Einstein @@ -1067,6 +1095,8 @@ destination.user.id: short: Unique identifier of the user. type: keyword destination.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: destination-user-name description: Short name or login of the user. example: albert @@ -1296,6 +1326,8 @@ dll.pe.imphash: short: A hash of the imports in a PE file. type: keyword dll.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -1349,6 +1381,8 @@ dns.answers.class: short: The class of DNS data contained in this resource record. type: keyword dns.answers.data: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: dns-answers-data description: 'The data describing the resource. @@ -1449,6 +1483,8 @@ dns.question.class: short: The class of records being queried. type: keyword dns.question.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: dns-question-name description: 'The name being queried. @@ -1615,11 +1651,11 @@ error.message: short: Error message. type: text error.stack_trace: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: error-stack-trace description: The stack trace of this error in plain text. - doc_values: false flat_name: error.stack_trace - index: false level: extended multi_fields: - flat_name: error.stack_trace.text @@ -1631,6 +1667,8 @@ error.stack_trace: short: The stack trace of this error in plain text. type: wildcard error.type: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: error-type description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException @@ -2517,6 +2555,8 @@ file.device: short: Device that is the source of the file. type: keyword file.directory: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. @@ -2688,6 +2728,8 @@ file.owner: short: File owner's username. type: keyword file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. @@ -2768,6 +2810,8 @@ file.pe.imphash: short: A hash of the imports in a PE file. type: keyword file.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -2803,6 +2847,8 @@ file.size: short: File size in bytes. type: long file.target_path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-target-path description: Target path for symlinks. flat_name: file.target_path @@ -2880,6 +2926,8 @@ file.x509.issuer.country: short: List of country (C) codes type: keyword file.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -3069,6 +3117,8 @@ file.x509.subject.country: short: List of country (C) code type: keyword file.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: file-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -3259,6 +3309,8 @@ host.geo.location: short: Longitude and latitude. type: geo_point host.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3300,6 +3352,8 @@ host.geo.region_name: short: Region name. type: keyword host.hostname: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-hostname description: 'Hostname of the host. @@ -3371,6 +3425,8 @@ host.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword host.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -3399,6 +3455,8 @@ host.os.kernel: short: Operating system kernel version as a raw string. type: keyword host.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X @@ -3494,6 +3552,8 @@ host.user.domain: short: Name of the directory the user is a member of. type: keyword host.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-user-email description: User email address. flat_name: host.user.email @@ -3504,6 +3564,8 @@ host.user.email: short: User email address. type: wildcard host.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-user-full-name description: User's full name, if available. example: Albert Einstein @@ -3581,6 +3643,8 @@ host.user.id: short: Unique identifier of the user. type: keyword host.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: host-user-name description: Short name or login of the user. example: albert @@ -3621,6 +3685,8 @@ http.request.body.bytes: short: Size in bytes of the request body. type: long http.request.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: http-request-body-content description: The full HTTP request body. example: Hello world @@ -3680,6 +3746,8 @@ http.request.mime_type: short: Mime type of the body of the request. type: keyword http.request.referrer: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: http-request-referrer description: Referrer for this HTTP request. example: https://blog.example.com/ @@ -3701,6 +3769,8 @@ http.response.body.bytes: short: Size in bytes of the response body. type: long http.response.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: http-response-body-content description: The full HTTP response body. example: Hello world @@ -3780,6 +3850,8 @@ labels: short: Custom key/value pairs. type: object log.file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: log-file-path description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -3810,6 +3882,8 @@ log.level: short: Log level of the log event. type: keyword log.logger: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: log-logger description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. @@ -4340,6 +4414,8 @@ observer.geo.location: short: Longitude and latitude. type: geo_point observer.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: observer-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -4526,6 +4602,8 @@ observer.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword observer.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: observer-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -4554,6 +4632,8 @@ observer.os.kernel: short: Operating system kernel version as a raw string. type: keyword observer.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: observer-os-name description: Operating system name, without the version. example: Mac OS X @@ -4679,6 +4759,8 @@ organization.id: short: Unique identifier for the organization. type: keyword organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: organization-name description: Organization name. flat_name: organization.name @@ -4939,6 +5021,8 @@ process.code_signature.valid: content. type: boolean process.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -4976,6 +5060,8 @@ process.entity_id: short: Unique identifier for the process. type: keyword process.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -5048,6 +5134,8 @@ process.hash.sha512: short: SHA512 hash. type: keyword process.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-name description: 'Process name. @@ -5164,6 +5252,8 @@ process.parent.code_signature.valid: content. type: boolean process.parent.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -5203,6 +5293,8 @@ process.parent.entity_id: short: Unique identifier for the process. type: keyword process.parent.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -5277,6 +5369,8 @@ process.parent.hash.sha512: short: SHA512 hash. type: keyword process.parent.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-name description: 'Process name. @@ -5359,6 +5453,8 @@ process.parent.pe.imphash: short: A hash of the imports in a PE file. type: keyword process.parent.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -5440,6 +5536,8 @@ process.parent.thread.id: short: Thread ID. type: long process.parent.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-thread-name description: Thread name. example: thread-0 @@ -5451,6 +5549,8 @@ process.parent.thread.name: short: Thread name. type: wildcard process.parent.title: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-title description: 'Process title. @@ -5480,6 +5580,8 @@ process.parent.uptime: short: Seconds the process has been up. type: long process.parent.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice @@ -5560,6 +5662,8 @@ process.pe.imphash: short: A hash of the imports in a PE file. type: keyword process.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -5636,6 +5740,8 @@ process.thread.id: short: Thread ID. type: long process.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-thread-name description: Thread name. example: thread-0 @@ -5646,6 +5752,8 @@ process.thread.name: short: Thread name. type: wildcard process.title: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-title description: 'Process title. @@ -5673,6 +5781,8 @@ process.uptime: short: Seconds the process has been up. type: long process.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: process-working-directory description: The working directory of the process. example: /home/alice @@ -5703,6 +5813,8 @@ registry.data.bytes: short: Original bytes written with base64 encoding. type: keyword registry.data.strings: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: registry-data-strings description: 'Content when writing string types. @@ -5742,6 +5854,8 @@ registry.hive: short: Abbreviated name for the hive. type: keyword registry.key: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -5752,6 +5866,8 @@ registry.key: short: Hive-relative path of keys. type: wildcard registry.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution @@ -5969,6 +6085,8 @@ server.as.number: short: Unique number allocated to the autonomous system. type: long server.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-as-organization-name description: Organization name. example: Google LLC @@ -5996,6 +6114,8 @@ server.bytes: short: Bytes sent from the server to the client. type: long server.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-domain description: Server domain. flat_name: server.domain @@ -6064,6 +6184,8 @@ server.geo.location: short: Longitude and latitude. type: geo_point server.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -6169,6 +6291,8 @@ server.port: short: Port of the server. type: long server.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-registered-domain description: 'The highest registered server domain, stripped of the subdomain. @@ -6233,6 +6357,8 @@ server.user.domain: short: Name of the directory the user is a member of. type: keyword server.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-user-email description: User email address. flat_name: server.user.email @@ -6243,6 +6369,8 @@ server.user.email: short: User email address. type: wildcard server.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-user-full-name description: User's full name, if available. example: Albert Einstein @@ -6320,6 +6448,8 @@ server.user.id: short: Unique identifier of the user. type: keyword server.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: server-user-name description: Short name or login of the user. example: albert @@ -6488,6 +6618,8 @@ source.as.number: short: Unique number allocated to the autonomous system. type: long source.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-as-organization-name description: Organization name. example: Google LLC @@ -6515,6 +6647,8 @@ source.bytes: short: Bytes sent from the source to the destination. type: long source.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-domain description: Source domain. flat_name: source.domain @@ -6583,6 +6717,8 @@ source.geo.location: short: Longitude and latitude. type: geo_point source.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -6688,6 +6824,8 @@ source.port: short: Port of the source. type: long source.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-registered-domain description: 'The highest registered source domain, stripped of the subdomain. @@ -6752,6 +6890,8 @@ source.user.domain: short: Name of the directory the user is a member of. type: keyword source.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-user-email description: User email address. flat_name: source.user.email @@ -6762,6 +6902,8 @@ source.user.email: short: User email address. type: wildcard source.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-user-full-name description: User's full name, if available. example: Albert Einstein @@ -6839,6 +6981,8 @@ source.user.id: short: Unique identifier of the user. type: keyword source.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: source-user-name description: Short name or login of the user. example: albert @@ -7117,6 +7261,8 @@ tls.client.hash.sha256: certificate offered by the client. type: keyword tls.client.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-issuer description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. @@ -7175,6 +7321,8 @@ tls.client.server_name: short: Hostname the client is trying to connect to. Also called the SNI. type: keyword tls.client.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-subject description: Distinguished name of subject of the x.509 certificate presented by the client. @@ -7240,6 +7388,8 @@ tls.client.x509.issuer.country: short: List of country (C) codes type: keyword tls.client.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -7429,6 +7579,8 @@ tls.client.x509.subject.country: short: List of country (C) code type: keyword tls.client.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-client-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -7619,6 +7771,8 @@ tls.server.hash.sha256: certificate offered by the server. type: keyword tls.server.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-issuer description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -7662,6 +7816,8 @@ tls.server.not_before: short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-subject description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com @@ -7713,6 +7869,8 @@ tls.server.x509.issuer.country: short: List of country (C) codes type: keyword tls.server.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -7902,6 +8060,8 @@ tls.server.x509.subject.country: short: List of country (C) code type: keyword tls.server.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: tls-server-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -8026,6 +8186,8 @@ transaction.id: short: Unique identifier of the transaction within the scope of its trace. type: keyword url.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-domain description: 'Domain of the url, such as "www.elastic.co". @@ -8074,6 +8236,8 @@ url.fragment: short: Portion of the url after the `#`. type: keyword url.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. @@ -8090,6 +8254,8 @@ url.full: short: Full unparsed URL. type: wildcard url.original: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -8120,6 +8286,8 @@ url.password: short: Password of the request. type: keyword url.path: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path @@ -8156,6 +8324,8 @@ url.query: short: Query string of the request. type: keyword url.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. @@ -8242,6 +8412,8 @@ user.domain: short: Name of the directory the user is a member of. type: keyword user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-email description: User email address. flat_name: user.email @@ -8251,6 +8423,8 @@ user.email: short: User email address. type: wildcard user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-full-name description: User's full name, if available. example: Albert Einstein @@ -8325,6 +8499,8 @@ user.id: short: Unique identifier of the user. type: keyword user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-name description: Short name or login of the user. example: albert @@ -8374,6 +8550,8 @@ user_agent.name: short: Name of the user agent. type: keyword user_agent.original: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-agent-original description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 @@ -8402,6 +8580,8 @@ user_agent.os.family: short: OS family (such as redhat, debian, freebsd, windows). type: keyword user_agent.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-agent-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -8430,6 +8610,8 @@ user_agent.os.kernel: short: Operating system kernel version as a raw string. type: keyword user_agent.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used to be + type `keyword`. dashed_name: user-agent-os-name description: Operating system name, without the version. example: Mac OS X diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 4aaf22ca63..23bc6b3da3 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -8,6 +8,8 @@ agent: event happened or the measurement was taken.' fields: agent.build.original: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: agent-build-original description: 'Extended build information for the agent. @@ -118,6 +120,8 @@ as: short: Unique number allocated to the autonomous system. type: long as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: as-organization-name description: Organization name. example: Google LLC @@ -273,6 +277,8 @@ client: short: Unique number allocated to the autonomous system. type: long client.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-as-organization-name description: Organization name. example: Google LLC @@ -300,6 +306,8 @@ client: short: Bytes sent from the client to the server. type: long client.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-domain description: Client domain. flat_name: client.domain @@ -368,6 +376,8 @@ client: short: Longitude and latitude. type: geo_point client.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -473,6 +483,8 @@ client: short: Port of the client. type: long client.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-registered-domain description: 'The highest registered client domain, stripped of the subdomain. @@ -537,6 +549,8 @@ client: short: Name of the directory the user is a member of. type: keyword client.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-user-email description: User email address. flat_name: client.user.email @@ -547,6 +561,8 @@ client: short: User email address. type: wildcard client.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-user-full-name description: User's full name, if available. example: Albert Einstein @@ -624,6 +640,8 @@ client: short: Unique identifier of the user. type: keyword client.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: client-user-name description: Short name or login of the user. example: albert @@ -1004,6 +1022,8 @@ destination: short: Unique number allocated to the autonomous system. type: long destination.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-as-organization-name description: Organization name. example: Google LLC @@ -1031,6 +1051,8 @@ destination: short: Bytes sent from the destination to the source. type: long destination.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-domain description: Destination domain. flat_name: destination.domain @@ -1099,6 +1121,8 @@ destination: short: Longitude and latitude. type: geo_point destination.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -1203,6 +1227,8 @@ destination: short: Port of the destination. type: long destination.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-registered-domain description: 'The highest registered destination domain, stripped of the subdomain. @@ -1267,6 +1293,8 @@ destination: short: Name of the directory the user is a member of. type: keyword destination.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-user-email description: User email address. flat_name: destination.user.email @@ -1277,6 +1305,8 @@ destination: short: User email address. type: wildcard destination.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-user-full-name description: User's full name, if available. example: Albert Einstein @@ -1354,6 +1384,8 @@ destination: short: Unique identifier of the user. type: keyword destination.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: destination-user-name description: Short name or login of the user. example: albert @@ -1617,6 +1649,8 @@ dll: short: A hash of the imports in a PE file. type: keyword dll.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: dll-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -1698,6 +1732,8 @@ dns: short: The class of DNS data contained in this resource record. type: keyword dns.answers.data: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: dns-answers-data description: 'The data describing the resource. @@ -1800,6 +1836,8 @@ dns: short: The class of records being queried. type: keyword dns.question.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: dns-question-name description: 'The name being queried. @@ -1987,11 +2025,11 @@ error: short: Error message. type: text error.stack_trace: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: error-stack-trace description: The stack trace of this error in plain text. - doc_values: false flat_name: error.stack_trace - index: false level: extended multi_fields: - flat_name: error.stack_trace.text @@ -2003,6 +2041,8 @@ error: short: The stack trace of this error in plain text. type: wildcard error.type: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: error-type description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException @@ -2940,6 +2980,8 @@ file: short: Device that is the source of the file. type: keyword file.directory: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. @@ -3111,6 +3153,8 @@ file: short: File owner's username. type: keyword file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. @@ -3191,6 +3235,8 @@ file: short: A hash of the imports in a PE file. type: keyword file.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -3226,6 +3272,8 @@ file: short: File size in bytes. type: long file.target_path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-target-path description: Target path for symlinks. flat_name: file.target_path @@ -3303,6 +3351,8 @@ file: short: List of country (C) codes type: keyword file.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -3492,6 +3542,8 @@ file: short: List of country (C) code type: keyword file.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: file-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -3651,6 +3703,8 @@ geo: short: Longitude and latitude. type: geo_point geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3921,6 +3975,8 @@ host: short: Longitude and latitude. type: geo_point host.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -3962,6 +4018,8 @@ host: short: Region name. type: keyword host.hostname: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-hostname description: 'Hostname of the host. @@ -4034,6 +4092,8 @@ host: short: OS family (such as redhat, debian, freebsd, windows). type: keyword host.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -4062,6 +4122,8 @@ host: short: Operating system kernel version as a raw string. type: keyword host.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-os-name description: Operating system name, without the version. example: Mac OS X @@ -4159,6 +4221,8 @@ host: short: Name of the directory the user is a member of. type: keyword host.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-user-email description: User email address. flat_name: host.user.email @@ -4169,6 +4233,8 @@ host: short: User email address. type: wildcard host.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-user-full-name description: User's full name, if available. example: Albert Einstein @@ -4246,6 +4312,8 @@ host: short: Unique identifier of the user. type: keyword host.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: host-user-name description: Short name or login of the user. example: albert @@ -4310,6 +4378,8 @@ http: short: Size in bytes of the request body. type: long http.request.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: http-request-body-content description: The full HTTP request body. example: Hello world @@ -4371,6 +4441,8 @@ http: short: Mime type of the body of the request. type: keyword http.request.referrer: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: http-request-referrer description: Referrer for this HTTP request. example: https://blog.example.com/ @@ -4392,6 +4464,8 @@ http: short: Size in bytes of the response body. type: long http.response.body.content: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: http-response-body-content description: The full HTTP response body. example: Hello world @@ -4529,6 +4603,8 @@ log: but rather in `event.*` or in other ECS fields.' fields: log.file.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: log-file-path description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -4559,6 +4635,8 @@ log: short: Log level of the log event. type: keyword log.logger: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: log-logger description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. @@ -5120,6 +5198,8 @@ observer: short: Longitude and latitude. type: geo_point observer.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: observer-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -5307,6 +5387,8 @@ observer: short: OS family (such as redhat, debian, freebsd, windows). type: keyword observer.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: observer-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -5335,6 +5417,8 @@ observer: short: Operating system kernel version as a raw string. type: keyword observer.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: observer-os-name description: Operating system name, without the version. example: Mac OS X @@ -5500,6 +5584,8 @@ organization: short: Unique identifier for the organization. type: keyword organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: organization-name description: Organization name. flat_name: organization.name @@ -5534,6 +5620,8 @@ os: short: OS family (such as redhat, debian, freebsd, windows). type: keyword os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -5560,6 +5648,8 @@ os: short: Operating system kernel version as a raw string. type: keyword os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: os-name description: Operating system name, without the version. example: Mac OS X @@ -5859,6 +5949,8 @@ pe: short: A hash of the imports in a PE file. type: keyword pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -6002,6 +6094,8 @@ process: content. type: boolean process.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -6039,6 +6133,8 @@ process: short: Unique identifier for the process. type: keyword process.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -6111,6 +6207,8 @@ process: short: SHA512 hash. type: keyword process.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-name description: 'Process name. @@ -6227,6 +6325,8 @@ process: content. type: boolean process.parent.command_line: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-command-line description: 'Full command line that started the process, including the absolute path to the executable, and all arguments. @@ -6266,6 +6366,8 @@ process: short: Unique identifier for the process. type: keyword process.parent.executable: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-executable description: Absolute path to the process executable. example: /usr/bin/ssh @@ -6340,6 +6442,8 @@ process: short: SHA512 hash. type: keyword process.parent.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-name description: 'Process name. @@ -6422,6 +6526,8 @@ process: short: A hash of the imports in a PE file. type: keyword process.parent.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -6503,6 +6609,8 @@ process: short: Thread ID. type: long process.parent.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-thread-name description: Thread name. example: thread-0 @@ -6514,6 +6622,8 @@ process: short: Thread name. type: wildcard process.parent.title: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-title description: 'Process title. @@ -6543,6 +6653,8 @@ process: short: Seconds the process has been up. type: long process.parent.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-parent-working-directory description: The working directory of the process. example: /home/alice @@ -6623,6 +6735,8 @@ process: short: A hash of the imports in a PE file. type: keyword process.pe.original_file_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE @@ -6699,6 +6813,8 @@ process: short: Thread ID. type: long process.thread.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-thread-name description: Thread name. example: thread-0 @@ -6709,6 +6825,8 @@ process: short: Thread name. type: wildcard process.title: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-title description: 'Process title. @@ -6736,6 +6854,8 @@ process: short: Seconds the process has been up. type: long process.working_directory: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: process-working-directory description: The working directory of the process. example: /home/alice @@ -6799,6 +6919,8 @@ registry: short: Original bytes written with base64 encoding. type: keyword registry.data.strings: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: registry-data-strings description: 'Content when writing string types. @@ -6838,6 +6960,8 @@ registry: short: Abbreviated name for the hive. type: keyword registry.key: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -6848,6 +6972,8 @@ registry: short: Hive-relative path of keys. type: wildcard registry.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution @@ -7122,6 +7248,8 @@ server: short: Unique number allocated to the autonomous system. type: long server.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-as-organization-name description: Organization name. example: Google LLC @@ -7149,6 +7277,8 @@ server: short: Bytes sent from the server to the client. type: long server.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-domain description: Server domain. flat_name: server.domain @@ -7217,6 +7347,8 @@ server: short: Longitude and latitude. type: geo_point server.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -7322,6 +7454,8 @@ server: short: Port of the server. type: long server.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-registered-domain description: 'The highest registered server domain, stripped of the subdomain. @@ -7386,6 +7520,8 @@ server: short: Name of the directory the user is a member of. type: keyword server.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-user-email description: User email address. flat_name: server.user.email @@ -7396,6 +7532,8 @@ server: short: User email address. type: wildcard server.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-user-full-name description: User's full name, if available. example: Albert Einstein @@ -7473,6 +7611,8 @@ server: short: Unique identifier of the user. type: keyword server.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: server-user-name description: Short name or login of the user. example: albert @@ -7685,6 +7825,8 @@ source: short: Unique number allocated to the autonomous system. type: long source.as.organization.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-as-organization-name description: Organization name. example: Google LLC @@ -7712,6 +7854,8 @@ source: short: Bytes sent from the source to the destination. type: long source.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-domain description: Source domain. flat_name: source.domain @@ -7780,6 +7924,8 @@ source: short: Longitude and latitude. type: geo_point source.geo.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -7885,6 +8031,8 @@ source: short: Port of the source. type: long source.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-registered-domain description: 'The highest registered source domain, stripped of the subdomain. @@ -7949,6 +8097,8 @@ source: short: Name of the directory the user is a member of. type: keyword source.user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-user-email description: User email address. flat_name: source.user.email @@ -7959,6 +8109,8 @@ source: short: User email address. type: wildcard source.user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-user-full-name description: User's full name, if available. example: Albert Einstein @@ -8036,6 +8188,8 @@ source: short: Unique identifier of the user. type: keyword source.user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: source-user-name description: Short name or login of the user. example: albert @@ -8328,6 +8482,8 @@ tls: of certificate offered by the client. type: keyword tls.client.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-issuer description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. @@ -8388,6 +8544,8 @@ tls: short: Hostname the client is trying to connect to. Also called the SNI. type: keyword tls.client.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-subject description: Distinguished name of subject of the x.509 certificate presented by the client. @@ -8454,6 +8612,8 @@ tls: short: List of country (C) codes type: keyword tls.client.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -8643,6 +8803,8 @@ tls: short: List of country (C) code type: keyword tls.client.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-client-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -8833,6 +8995,8 @@ tls: of certificate offered by the server. type: keyword tls.server.issuer: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-issuer description: Subject of the issuer of the x.509 certificate presented by the server. @@ -8879,6 +9043,8 @@ tls: short: Timestamp indicating when server certificate is first considered valid. type: date tls.server.subject: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-subject description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com @@ -8930,6 +9096,8 @@ tls: short: List of country (C) codes type: keyword tls.server.x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -9119,6 +9287,8 @@ tls: short: List of country (C) code type: keyword tls.server.x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: tls-server-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -9294,6 +9464,8 @@ url: the breaking down into scheme, domain, path, and so on. fields: url.domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-domain description: 'Domain of the url, such as "www.elastic.co". @@ -9343,6 +9515,8 @@ url: short: Portion of the url after the `#`. type: keyword url.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event @@ -9360,6 +9534,8 @@ url: short: Full unparsed URL. type: wildcard url.original: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-original description: 'Unmodified original url as seen in the event source. @@ -9390,6 +9566,8 @@ url: short: Password of the request. type: keyword url.path: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-path description: Path of the request, such as "/search". flat_name: url.path @@ -9426,6 +9604,8 @@ url: short: Query string of the request. type: keyword url.registered_domain: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. @@ -9525,6 +9705,8 @@ user: short: Name of the directory the user is a member of. type: keyword user.email: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-email description: User email address. flat_name: user.email @@ -9534,6 +9716,8 @@ user: short: User email address. type: wildcard user.full_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-full-name description: User's full name, if available. example: Albert Einstein @@ -9608,6 +9792,8 @@ user: short: Unique identifier of the user. type: keyword user.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-name description: Short name or login of the user. example: albert @@ -9692,6 +9878,8 @@ user_agent: short: Name of the user agent. type: keyword user_agent.original: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-agent-original description: Unparsed user_agent string. example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 @@ -9720,6 +9908,8 @@ user_agent: short: OS family (such as redhat, debian, freebsd, windows). type: keyword user_agent.os.full: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-agent-os-full description: Operating system name, including the version or code name. example: Mac OS Mojave @@ -9748,6 +9938,8 @@ user_agent: short: Operating system kernel version as a raw string. type: keyword user_agent.os.name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: user-agent-os-name description: Operating system name, without the version. example: Mac OS X @@ -10128,6 +10320,8 @@ x509: short: List of country (C) codes type: keyword x509.issuer.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance @@ -10302,6 +10496,8 @@ x509: short: List of country (C) code type: keyword x509.subject.distinguished_name: + beta: Note the usage of `wildcard` type is considered beta. This field used + to be type `keyword`. dashed_name: x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 893fe6a9b2..9ea2b983cc 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -647,14 +647,12 @@ "type": "text" }, "stack_trace": { - "doc_values": false, "fields": { "text": { "norms": false, "type": "text" } }, - "index": false, "type": "wildcard" }, "type": { diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 92eab5277e..190a7fcb7d 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -646,14 +646,12 @@ "type": "text" }, "stack_trace": { - "doc_values": false, "fields": { "text": { "norms": false, "type": "text" } }, - "index": false, "type": "wildcard" }, "type": {