diff --git a/code/go/ecs/version.go b/code/go/ecs/version.go index 6aba04736b..ded6dab3b7 100644 --- a/code/go/ecs/version.go +++ b/code/go/ecs/version.go @@ -20,4 +20,4 @@ package ecs // Version is the Elastic Common Schema version from which this was generated. -const Version = "1.9.0-dev" +const Version = "1.9.0" diff --git a/docs/fields.asciidoc b/docs/fields.asciidoc index 3d6f8fa662..4ab5aa1cab 100644 --- a/docs/fields.asciidoc +++ b/docs/fields.asciidoc @@ -2,7 +2,7 @@ [[ecs-field-reference]] == {ecs} Field Reference -This is the documentation of ECS version 1.9.0-dev. +This is the documentation of ECS version 1.9.0. ECS defines multiple groups of related fields. They are called "field sets". The <> field set is the only one whose fields are defined diff --git a/docs/index.asciidoc b/docs/index.asciidoc index 58a21f5124..74f47b333a 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -10,7 +10,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[] [[ecs-reference]] == Overview -This is the documentation of ECS version 1.9.0-dev. +This is the documentation of ECS version 1.9.0. [float] === What is ECS? diff --git a/experimental/code/go/ecs/agent.go b/experimental/code/go/ecs/agent.go new file mode 100644 index 0000000000..6c0462df4f --- /dev/null +++ b/experimental/code/go/ecs/agent.go @@ -0,0 +1,26 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type Agent struct { + // + BuildOriginal string `ecs:"build.original"` +} diff --git a/experimental/code/go/ecs/as.go b/experimental/code/go/ecs/as.go new file mode 100644 index 0000000000..fa4fa9d9f3 --- /dev/null +++ b/experimental/code/go/ecs/as.go @@ -0,0 +1,26 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type AS struct { + // + OrganizationName string `ecs:"organization.name"` +} diff --git a/experimental/code/go/ecs/client.go b/experimental/code/go/ecs/client.go new file mode 100644 index 0000000000..1b1db2e853 --- /dev/null +++ b/experimental/code/go/ecs/client.go @@ -0,0 +1,29 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type Client struct { + // + Domain string `ecs:"domain"` + + // + RegisteredDomain string `ecs:"registered_domain"` +} diff --git a/experimental/code/go/ecs/data_stream.go b/experimental/code/go/ecs/data_stream.go new file mode 100644 index 0000000000..251a97211a --- /dev/null +++ b/experimental/code/go/ecs/data_stream.go @@ -0,0 +1,66 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// The data_stream fields take part in defining the new data stream naming +// scheme. +// In the new data stream naming scheme the value of the data stream fields +// combine to the name of the actual data stream in the following manner +// `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This +// means the fields can only contain characters that are valid as part of names +// of data streams. More details about this can be found in this +// https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog +// post]. +// An Elasticsearch data stream consists of one or more backing indices, and a +// data stream name forms part of the backing indices names. Due to this +// convention, data streams must also follow index naming restrictions. For +// example, data stream names cannot include \, /, *, ?, ", <, >, |, ` `. +// Please see the Elasticsearch reference for additional +// https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions]. +type DataStream struct { + // An overarching type for the data stream. + // Currently allowed values are "logs" and "metrics". We expect to also add + // "traces" and "synthetics" in the near future. + Type string `ecs:"type"` + + // The field can contain anything that makes sense to signify the source of + // the data. + // Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data + // streams that otherwise fit, but that do not have dataset set we use the + // value "generic" for the dataset value. `event.dataset` should have the + // same value as `data_stream.dataset`. + // Beyond the Elasticsearch data stream naming criteria noted above, the + // `dataset` value has additional restrictions: + // * Must not contain `-` + // * No longer than 100 characters + Dataset string `ecs:"dataset"` + + // A user defined namespace. Namespaces are useful to allow grouping of + // data. + // Many users already organize their indices this way, and the data stream + // naming scheme now provides this best practice as a default. Many users + // will populate this field with `default`. If no value is used, it falls + // back to `default`. + // Beyond the Elasticsearch index naming criteria noted above, `namespace` + // value has the additional restrictions: + // * Must not contain `-` + // * No longer than 100 characters + Namespace string `ecs:"namespace"` +} diff --git a/experimental/code/go/ecs/destination.go b/experimental/code/go/ecs/destination.go new file mode 100644 index 0000000000..d06a48b1c1 --- /dev/null +++ b/experimental/code/go/ecs/destination.go @@ -0,0 +1,29 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type Destination struct { + // + Domain string `ecs:"domain"` + + // + RegisteredDomain string `ecs:"registered_domain"` +} diff --git a/experimental/code/go/ecs/dns.go b/experimental/code/go/ecs/dns.go new file mode 100644 index 0000000000..4d32dfc917 --- /dev/null +++ b/experimental/code/go/ecs/dns.go @@ -0,0 +1,32 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type Dns struct { + // + QuestionName string `ecs:"question.name"` + + // + Answers map[string]interface{} `ecs:"answers"` + + // + AnswersData string `ecs:"answers.data"` +} diff --git a/experimental/code/go/ecs/elf.go b/experimental/code/go/ecs/elf.go new file mode 100644 index 0000000000..94fc4d84a7 --- /dev/null +++ b/experimental/code/go/ecs/elf.go @@ -0,0 +1,120 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +import ( + "time" +) + +// These fields contain Linux Executable Linkable Format (ELF) metadata. +type Elf struct { + // Extracted when possible from the file's metadata. Indicates when it was + // built or compiled. It can also be faked by malware creators. + CreationDate time.Time `ecs:"creation_date"` + + // Machine architecture of the ELF file. + Architecture string `ecs:"architecture"` + + // Byte sequence of ELF file. + ByteOrder string `ecs:"byte_order"` + + // CPU type of the ELF file. + CpuType string `ecs:"cpu_type"` + + // Header class of the ELF file. + HeaderClass string `ecs:"header.class"` + + // Data table of the ELF header. + HeaderData string `ecs:"header.data"` + + // Application Binary Interface (ABI) of the Linux OS. + HeaderOsAbi string `ecs:"header.os_abi"` + + // Header type of the ELF file. + HeaderType string `ecs:"header.type"` + + // Version of the ELF header. + HeaderVersion string `ecs:"header.version"` + + // Version of the ELF Application Binary Interface (ABI). + HeaderAbiVersion string `ecs:"header.abi_version"` + + // Header entrypoint of the ELF file. + HeaderEntrypoint int64 `ecs:"header.entrypoint"` + + // "0x1" for original ELF files. + HeaderObjectVersion string `ecs:"header.object_version"` + + // Section information of the ELF file. + Sections []Sections `ecs:""` + + // List of exported element names and types. + Exports string `ecs:"exports"` + + // List of imported element names and types. + Imports string `ecs:"imports"` + + // List of shared libraries used by this ELF object + SharedLibraries string `ecs:"shared_libraries"` + + // telfhash is symbol hash for ELF files, just like imphash is imports hash + // for PE files. Learn more at https://github.com/trendmicro/telfhash. + Telfhash string `ecs:"telfhash"` + + // ELF object segment list. + Segments []Segments `ecs:""` +} + +type Sections struct { + // ELF Section List flags. + Flags string `ecs:"flags"` + + // ELF Section List name. + Name string `ecs:"name"` + + // ELF Section List offset. + PhysicalOffset string `ecs:"physical_offset"` + + // ELF Section List type. + Type string `ecs:"type"` + + // ELF Section List physical size. + PhysicalSize int64 `ecs:"physical_size"` + + // ELF Section List virtual address. + VirtualAddress int64 `ecs:"virtual_address"` + + // ELF Section List virtual size. + VirtualSize int64 `ecs:"virtual_size"` + + // Shannon entropy calculation from the section. + Entropy int64 `ecs:"entropy"` + + // Chi-square probability distribution of the section. + Chi2 int64 `ecs:"chi2"` +} + +type Segments struct { + // ELF object segment type. + Type string `ecs:"type"` + + // ELF object segment sections. + Sections string `ecs:"sections"` +} diff --git a/experimental/code/go/ecs/error.go b/experimental/code/go/ecs/error.go new file mode 100644 index 0000000000..7c6c52331c --- /dev/null +++ b/experimental/code/go/ecs/error.go @@ -0,0 +1,29 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type Error struct { + // + StackTrace string `ecs:"stack_trace"` + + // + Type string `ecs:"type"` +} diff --git a/experimental/code/go/ecs/file.go b/experimental/code/go/ecs/file.go new file mode 100644 index 0000000000..81ab00a4cd --- /dev/null +++ b/experimental/code/go/ecs/file.go @@ -0,0 +1,32 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type File struct { + // + Directory string `ecs:"directory"` + + // + Path string `ecs:"path"` + + // + TargetPath string `ecs:"target_path"` +} diff --git a/experimental/code/go/ecs/geo.go b/experimental/code/go/ecs/geo.go new file mode 100644 index 0000000000..33c7857a04 --- /dev/null +++ b/experimental/code/go/ecs/geo.go @@ -0,0 +1,26 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type Geo struct { + // + Name string `ecs:"name"` +} diff --git a/experimental/code/go/ecs/hash.go b/experimental/code/go/ecs/hash.go new file mode 100644 index 0000000000..2e3578df8a --- /dev/null +++ b/experimental/code/go/ecs/hash.go @@ -0,0 +1,23 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type Hash struct{} diff --git a/experimental/code/go/ecs/host.go b/experimental/code/go/ecs/host.go new file mode 100644 index 0000000000..225e00c7f6 --- /dev/null +++ b/experimental/code/go/ecs/host.go @@ -0,0 +1,26 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type Host struct { + // + Hostname string `ecs:"hostname"` +} diff --git a/experimental/code/go/ecs/http.go b/experimental/code/go/ecs/http.go new file mode 100644 index 0000000000..413c4f0105 --- /dev/null +++ b/experimental/code/go/ecs/http.go @@ -0,0 +1,32 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type Http struct { + // + RequestBodyContent string `ecs:"request.body.content"` + + // + RequestReferrer string `ecs:"request.referrer"` + + // + ResponseBodyContent string `ecs:"response.body.content"` +} diff --git a/experimental/code/go/ecs/log.go b/experimental/code/go/ecs/log.go new file mode 100644 index 0000000000..f6b92072bb --- /dev/null +++ b/experimental/code/go/ecs/log.go @@ -0,0 +1,29 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type Log struct { + // + FilePath string `ecs:"file.path"` + + // + Logger string `ecs:"logger"` +} diff --git a/experimental/code/go/ecs/orchestrator.go b/experimental/code/go/ecs/orchestrator.go new file mode 100644 index 0000000000..889a66dc38 --- /dev/null +++ b/experimental/code/go/ecs/orchestrator.go @@ -0,0 +1,52 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// Fields that describe the resources which container orchestrators manage or +// act upon. +type Orchestrator struct { + // Name of the cluster. + ClusterName string `ecs:"cluster.name"` + + // URL of the API used to manage the cluster. + ClusterUrl string `ecs:"cluster.url"` + + // The version of the cluster. + ClusterVersion string `ecs:"cluster.version"` + + // Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). + Type string `ecs:"type"` + + // Organization affected by the event (for multi-tenant orchestrator + // setups). + Organization string `ecs:"organization"` + + // Namespace in which the action is taking place. + Namespace string `ecs:"namespace"` + + // Name of the resource being acted upon. + ResourceName string `ecs:"resource.name"` + + // Type of resource being acted upon. + ResourceType string `ecs:"resource.type"` + + // API version being used to carry out the action + ApiVersion string `ecs:"api_version"` +} diff --git a/experimental/code/go/ecs/organization.go b/experimental/code/go/ecs/organization.go new file mode 100644 index 0000000000..3ba070b8d5 --- /dev/null +++ b/experimental/code/go/ecs/organization.go @@ -0,0 +1,26 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type Organization struct { + // + Name string `ecs:"name"` +} diff --git a/experimental/code/go/ecs/os.go b/experimental/code/go/ecs/os.go new file mode 100644 index 0000000000..88e6b5d82b --- /dev/null +++ b/experimental/code/go/ecs/os.go @@ -0,0 +1,29 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type Os struct { + // + Name string `ecs:"name"` + + // + Full string `ecs:"full"` +} diff --git a/experimental/code/go/ecs/pe.go b/experimental/code/go/ecs/pe.go new file mode 100644 index 0000000000..c3712eb022 --- /dev/null +++ b/experimental/code/go/ecs/pe.go @@ -0,0 +1,135 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +import ( + "time" +) + +// +type Pe struct { + // + OriginalFileName string `ecs:"original_file_name"` + + // Difference Hash (dhash) to find files with a visually similar icon or + // thumbnail. + IconHashDhash string `ecs:"icon.hash.dhash"` + + // An array containing an object for each debug entry, if present. + // The expected fields for this nested object fall under the `debug.` + // prefix. + Debug []Debug `ecs:""` + + // List of all imported functions + Imports string `ecs:"imports"` + + // Data about sections of compiled binary PE + Sections []Sections `ecs:""` + + // An array containing an object for each PE resource, if present. + // The expected fields for this nested object fall under the `resources.` + // prefix. + Resources []Resources `ecs:""` + + // List of symbols exported by PE + Exports string `ecs:"exports"` + + // Extracted when possible from the file's metadata. Indicates when it was + // built or compiled. It can also be faked by malware creators. + CreationDate time.Time `ecs:"creation_date"` + + // Authentihash of the PE file. + Authentihash string `ecs:"authentihash"` + + // Compile timestamp of the PE file. + CompileTimestamp time.Time `ecs:"compile_timestamp"` + + // Name of the compiler + CompilerName string `ecs:"compiler.name"` + + // Version of the compiler. + CompilerVersion string `ecs:"compiler.version"` + + // MD5 hash of the header for the PE file. + RichHeaderHashMd5 string `ecs:"rich_header.hash.md5"` + + // Relative byte offset to the base of the PE file. + EntryPoint string `ecs:"entry_point"` + + // Machine type of the PE file. + MachineType string `ecs:"machine_type"` + + // List of packers and tools used. + Packers string `ecs:"packers"` +} + +type Debug struct { + // Debug offset information. + Offset string `ecs:"offset"` + + // Size of the debug information. + Size int64 `ecs:"size"` + + // Information type generated by the debug options. + Type string `ecs:"type"` + + // Timestamp of the debug information. + Timestamp time.Time `ecs:"timestamp"` +} + +type Resources struct { + // Chi-square probability distribution. + Chi2 int64 `ecs:"chi2"` + + // File type of the resources section. + Filetype string `ecs:"filetype"` + + // Measurement of entropy randomness in the resources section. + Entropy int64 `ecs:"entropy"` + + // SHA256 hash of resources section. + Sha256 string `ecs:"sha256"` + + // Language identification. + Language string `ecs:"language"` + + // Digest of resource types. + Type string `ecs:"type"` +} + +type Sections struct { + // Chi-square probability distribution. + Chi2 int64 `ecs:"chi2"` + + // Virtual address available to the file. + VirtualAddress int64 `ecs:"virtual_address"` + + // Measurement of entropy randomness in the file. + Entropy float64 `ecs:"entropy"` + + // Section flags of the file. + Flags string `ecs:"flags"` + + // Section names of the file. + Name string `ecs:"name"` + + // Size of the section or the dize of the initialized data on disk. + RawSize int64 `ecs:"raw_size"` +} diff --git a/experimental/code/go/ecs/process.go b/experimental/code/go/ecs/process.go new file mode 100644 index 0000000000..45a5b7d050 --- /dev/null +++ b/experimental/code/go/ecs/process.go @@ -0,0 +1,41 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type Process struct { + // + CommandLine string `ecs:"command_line"` + + // + Executable string `ecs:"executable"` + + // + Name string `ecs:"name"` + + // + ThreadName string `ecs:"thread.name"` + + // + Title string `ecs:"title"` + + // + WorkingDirectory string `ecs:"working_directory"` +} diff --git a/experimental/code/go/ecs/registry.go b/experimental/code/go/ecs/registry.go new file mode 100644 index 0000000000..6d1b367841 --- /dev/null +++ b/experimental/code/go/ecs/registry.go @@ -0,0 +1,32 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type Registry struct { + // + Key string `ecs:"key"` + + // + Path string `ecs:"path"` + + // + DataStrings string `ecs:"data.strings"` +} diff --git a/experimental/code/go/ecs/server.go b/experimental/code/go/ecs/server.go new file mode 100644 index 0000000000..c32bfd34d7 --- /dev/null +++ b/experimental/code/go/ecs/server.go @@ -0,0 +1,29 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type Server struct { + // + Domain string `ecs:"domain"` + + // + RegisteredDomain string `ecs:"registered_domain"` +} diff --git a/experimental/code/go/ecs/source.go b/experimental/code/go/ecs/source.go new file mode 100644 index 0000000000..8aeb281f59 --- /dev/null +++ b/experimental/code/go/ecs/source.go @@ -0,0 +1,29 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type Source struct { + // + Domain string `ecs:"domain"` + + // + RegisteredDomain string `ecs:"registered_domain"` +} diff --git a/experimental/code/go/ecs/threat.go b/experimental/code/go/ecs/threat.go new file mode 100644 index 0000000000..3ac4f92a5b --- /dev/null +++ b/experimental/code/go/ecs/threat.go @@ -0,0 +1,119 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +import ( + "time" +) + +// +type Threat struct { + // The date and time when intelligence source first reported sighting this + // indicator. + IndicatorFirstSeen time.Time `ecs:"indicator.first_seen"` + + // The date and time when intelligence source last reported sighting this + // indicator. + IndicatorLastSeen time.Time `ecs:"indicator.last_seen"` + + // Number of times this indicator was observed conducting threat activity. + IndicatorSightings int64 `ecs:"indicator.sightings"` + + // Type of indicator as represented by Cyber Observable in STIX 2.0. + // Expected values + // * autonomous-system + // * artifact + // * directory + // * domain-name + // * email-addr + // * file + // * ipv4-addr + // * ipv6-addr + // * mac-addr + // * mutex + // * process + // * software + // * url + // * user-account + // * windows-registry-key + // * x-509-certificate + IndicatorType string `ecs:"indicator.type"` + + // Describes the type of action conducted by the threat. + IndicatorDescription string `ecs:"indicator.description"` + + // Count of AV/EDR vendors that successfully detected malicious file or + // URL. + IndicatorScannerStats int64 `ecs:"indicator.scanner_stats"` + + // Identifies the name of the intelligence provider. + IndicatorProvider string `ecs:"indicator.provider"` + + // Identifies the confidence rating assigned by the provider using STIX + // confidence scales. + // Expected values: + // * Not Specified, None, Low, Medium, High + // * 0-10 + // * Admirality Scale (1-6) + // * DNI Scale (5-95) + // * WEP Scale (Impossible - Certain) + IndicatorConfidence string `ecs:"indicator.confidence"` + + // Identifies the name of specific module this data is coming from. + IndicatorModule string `ecs:"indicator.module"` + + // Identifies the name of specific dataset from the intelligence source. + IndicatorDataset string `ecs:"indicator.dataset"` + + // Identifies a threat indicator as an IP address (irrespective of + // direction). + IndicatorIP string `ecs:"indicator.ip"` + + // Identifies a threat indicator as a domain (irrespective of direction). + IndicatorDomain string `ecs:"indicator.domain"` + + // Identifies a threat indicator as a port number (irrespective of + // direction). + IndicatorPort int64 `ecs:"indicator.port"` + + // Identifies a threat indicator as an email address (irrespective of + // direction). + IndicatorEmailAddress string `ecs:"indicator.email.address"` + + // Traffic Light Protocol sharing markings. + // Expected values are: + // * White + // * Green + // * Amber + // * Red + IndicatorMarkingTlp string `ecs:"indicator.marking.tlp"` + + // Identifies the atomic indicator that matched a local environment + // endpoint or network event. + IndicatorMatchedAtomic string `ecs:"indicator.matched.atomic"` + + // Identifies the field of the atomic indicator that matched a local + // environment endpoint or network event. + IndicatorMatchedField string `ecs:"indicator.matched.field"` + + // Identifies the type of the atomic indicator that matched a local + // environment endpoint or network event. + IndicatorMatchedType string `ecs:"indicator.matched.type"` +} diff --git a/experimental/code/go/ecs/tls.go b/experimental/code/go/ecs/tls.go new file mode 100644 index 0000000000..da74901a82 --- /dev/null +++ b/experimental/code/go/ecs/tls.go @@ -0,0 +1,35 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type Tls struct { + // + ClientIssuer string `ecs:"client.issuer"` + + // + ClientSubject string `ecs:"client.subject"` + + // + ServerIssuer string `ecs:"server.issuer"` + + // + ServerSubject string `ecs:"server.subject"` +} diff --git a/experimental/code/go/ecs/url.go b/experimental/code/go/ecs/url.go new file mode 100644 index 0000000000..ae7cd6c1c4 --- /dev/null +++ b/experimental/code/go/ecs/url.go @@ -0,0 +1,38 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type Url struct { + // + Original string `ecs:"original"` + + // + Full string `ecs:"full"` + + // + Path string `ecs:"path"` + + // + Domain string `ecs:"domain"` + + // + RegisteredDomain string `ecs:"registered_domain"` +} diff --git a/experimental/code/go/ecs/user.go b/experimental/code/go/ecs/user.go new file mode 100644 index 0000000000..86aa0bfe27 --- /dev/null +++ b/experimental/code/go/ecs/user.go @@ -0,0 +1,32 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type User struct { + // + Name string `ecs:"name"` + + // + FullName string `ecs:"full_name"` + + // + Email string `ecs:"email"` +} diff --git a/experimental/code/go/ecs/user_agent.go b/experimental/code/go/ecs/user_agent.go new file mode 100644 index 0000000000..d63aa806ec --- /dev/null +++ b/experimental/code/go/ecs/user_agent.go @@ -0,0 +1,26 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type UserAgent struct { + // + Original string `ecs:"original"` +} diff --git a/experimental/code/go/ecs/version.go b/experimental/code/go/ecs/version.go new file mode 100644 index 0000000000..0aa8cb0f52 --- /dev/null +++ b/experimental/code/go/ecs/version.go @@ -0,0 +1,23 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// Version is the Elastic Common Schema version from which this was generated. +const Version = "2.0.0-dev" diff --git a/experimental/code/go/ecs/x509.go b/experimental/code/go/ecs/x509.go new file mode 100644 index 0000000000..4d13fa35d4 --- /dev/null +++ b/experimental/code/go/ecs/x509.go @@ -0,0 +1,29 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// +type X509 struct { + // + IssuerDistinguishedName string `ecs:"issuer.distinguished_name"` + + // + SubjectDistinguishedName string `ecs:"subject.distinguished_name"` +} diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 13bd5d57ab..46bc450dbe 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 1.9.0-dev+exp. +# based on ECS version 1.9.0+exp. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 4a34177817..aee4d11877 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -1,1089 +1,1089 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description -1.9.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. -1.9.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. -1.9.0-dev+exp,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. -1.9.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. -1.9.0-dev+exp,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. -1.9.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. -1.9.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. -1.9.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. -1.9.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. -1.9.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. -1.9.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address. -1.9.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.9.0-dev+exp,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.9.0-dev+exp,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.9.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. -1.9.0-dev+exp,true,client,client.domain,wildcard,core,,,Client domain. -1.9.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name. -1.9.0-dev+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code. -1.9.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. -1.9.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.9.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name. -1.9.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.9.0-dev+exp,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.9.0-dev+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code. -1.9.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.9.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. -1.9.0-dev+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -1.9.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client. -1.9.0-dev+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client. -1.9.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address -1.9.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port -1.9.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server. -1.9.0-dev+exp,true,client,client.port,long,core,,,Port of the client. -1.9.0-dev+exp,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." -1.9.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. -1.9.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.9.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev+exp,true,client,client.user.email,wildcard,extended,,,User email address. -1.9.0-dev+exp,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev+exp,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group. -1.9.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.9.0-dev+exp,true,client,client.user.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev+exp,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. -1.9.0-dev+exp,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. -1.9.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.9.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. -1.9.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. -1.9.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. -1.9.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -1.9.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. -1.9.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -1.9.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. -1.9.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. -1.9.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. -1.9.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. -1.9.0-dev+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name. -1.9.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id. -1.9.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. -1.9.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags. -1.9.0-dev+exp,true,container,container.labels,object,extended,,,Image labels. -1.9.0-dev+exp,true,container,container.name,keyword,extended,,,Container name. -1.9.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. -1.9.0-dev+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data. -1.9.0-dev+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data. -1.9.0-dev+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream. -1.9.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address. -1.9.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.9.0-dev+exp,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.9.0-dev+exp,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.9.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. -1.9.0-dev+exp,true,destination,destination.domain,wildcard,core,,,Destination domain. -1.9.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. -1.9.0-dev+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code. -1.9.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. -1.9.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.9.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. -1.9.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.9.0-dev+exp,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.9.0-dev+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code. -1.9.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.9.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. -1.9.0-dev+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -1.9.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination. -1.9.0-dev+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination. -1.9.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip -1.9.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port -1.9.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. -1.9.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination. -1.9.0-dev+exp,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." -1.9.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. -1.9.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.9.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev+exp,true,destination,destination.user.email,wildcard,extended,,,User email address. -1.9.0-dev+exp,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev+exp,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. -1.9.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.9.0-dev+exp,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev+exp,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. -1.9.0-dev+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. -1.9.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.9.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.9.0-dev+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -1.9.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.9.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.9.0-dev+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -1.9.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.9.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.9.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. -1.9.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. -1.9.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. -1.9.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. -1.9.0-dev+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash. -1.9.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. -1.9.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. -1.9.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.9.0-dev+exp,true,dll,dll.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. -1.9.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.9.0-dev+exp,true,dll,dll.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. -1.9.0-dev+exp,true,dll,dll.pe.compiler.name,keyword,extended,,Clang,Name of the compiler -1.9.0-dev+exp,true,dll,dll.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. -1.9.0-dev+exp,true,dll,dll.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. -1.9.0-dev+exp,true,dll,dll.pe.debug,nested,extended,array,,Debug information -1.9.0-dev+exp,true,dll,dll.pe.debug.offset,keyword,extended,,1296336,Debug offset information. -1.9.0-dev+exp,true,dll,dll.pe.debug.size,long,extended,,816,Size of the debug information. -1.9.0-dev+exp,true,dll,dll.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. -1.9.0-dev+exp,true,dll,dll.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. -1.9.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.9.0-dev+exp,true,dll,dll.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. -1.9.0-dev+exp,true,dll,dll.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE -1.9.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.9.0-dev+exp,true,dll,dll.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. -1.9.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.9.0-dev+exp,true,dll,dll.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions -1.9.0-dev+exp,true,dll,dll.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. -1.9.0-dev+exp,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.9.0-dev+exp,true,dll,dll.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. -1.9.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.9.0-dev+exp,true,dll,dll.pe.resources,nested,extended,array,,PE resource information -1.9.0-dev+exp,true,dll,dll.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. -1.9.0-dev+exp,true,dll,dll.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. -1.9.0-dev+exp,true,dll,dll.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. -1.9.0-dev+exp,true,dll,dll.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. -1.9.0-dev+exp,true,dll,dll.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. -1.9.0-dev+exp,true,dll,dll.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. -1.9.0-dev+exp,true,dll,dll.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. -1.9.0-dev+exp,true,dll,dll.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE -1.9.0-dev+exp,true,dll,dll.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. -1.9.0-dev+exp,true,dll,dll.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. -1.9.0-dev+exp,true,dll,dll.pe.sections.flags,keyword,extended,,rx,Section flags of the file. -1.9.0-dev+exp,true,dll,dll.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. -1.9.0-dev+exp,true,dll,dll.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. -1.9.0-dev+exp,true,dll,dll.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. -1.9.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers. -1.9.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. -1.9.0-dev+exp,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. -1.9.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. -1.9.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. -1.9.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. -1.9.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. -1.9.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. -1.9.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. -1.9.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. -1.9.0-dev+exp,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. -1.9.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." -1.9.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. -1.9.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.9.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. -1.9.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data -1.9.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. -1.9.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." -1.9.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. -1.9.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error. -1.9.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error. -1.9.0-dev+exp,true,error,error.message,text,core,,,Error message. -1.9.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. -1.9.0-dev+exp,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. -1.9.0-dev+exp,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." -1.9.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. -1.9.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -1.9.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event. -1.9.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -1.9.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. -1.9.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. -1.9.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. -1.9.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -1.9.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -1.9.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -1.9.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -1.9.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. -1.9.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -1.9.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -1.9.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event. -1.9.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -1.9.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -1.9.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -1.9.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -1.9.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event. -1.9.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event. -1.9.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. -1.9.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone. -1.9.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -1.9.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -1.9.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed. -1.9.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -1.9.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.9.0-dev+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -1.9.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.9.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.9.0-dev+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -1.9.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.9.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.9.0-dev+exp,true,file,file.created,date,extended,,,File creation time. -1.9.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. -1.9.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. -1.9.0-dev+exp,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. -1.9.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -1.9.0-dev+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -1.9.0-dev+exp,true,file,file.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file. -1.9.0-dev+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -1.9.0-dev+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date. -1.9.0-dev+exp,true,file,file.elf.exports,flattened,extended,,,List of exported element names and types. -1.9.0-dev+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -1.9.0-dev+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file. -1.9.0-dev+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header. -1.9.0-dev+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -1.9.0-dev+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -1.9.0-dev+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -1.9.0-dev+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file. -1.9.0-dev+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header. -1.9.0-dev+exp,true,file,file.elf.imports,flattened,extended,,,List of imported element names and types. -1.9.0-dev+exp,true,file,file.elf.sections,nested,extended,,,Section information of the ELF file. -1.9.0-dev+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -1.9.0-dev+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -1.9.0-dev+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags. -1.9.0-dev+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name. -1.9.0-dev+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -1.9.0-dev+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -1.9.0-dev+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type. -1.9.0-dev+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -1.9.0-dev+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -1.9.0-dev+exp,true,file,file.elf.segments,nested,extended,,,ELF object segment list. -1.9.0-dev+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections. -1.9.0-dev+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type. -1.9.0-dev+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object -1.9.0-dev+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF files -1.9.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -1.9.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -1.9.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file. -1.9.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash. -1.9.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. -1.9.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. -1.9.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. -1.9.0-dev+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash. -1.9.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -1.9.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -1.9.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. -1.9.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified. -1.9.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -1.9.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username. -1.9.0-dev+exp,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.9.0-dev+exp,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.9.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.9.0-dev+exp,true,file,file.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. -1.9.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.9.0-dev+exp,true,file,file.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. -1.9.0-dev+exp,true,file,file.pe.compiler.name,keyword,extended,,Clang,Name of the compiler -1.9.0-dev+exp,true,file,file.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. -1.9.0-dev+exp,true,file,file.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. -1.9.0-dev+exp,true,file,file.pe.debug,nested,extended,array,,Debug information -1.9.0-dev+exp,true,file,file.pe.debug.offset,keyword,extended,,1296336,Debug offset information. -1.9.0-dev+exp,true,file,file.pe.debug.size,long,extended,,816,Size of the debug information. -1.9.0-dev+exp,true,file,file.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. -1.9.0-dev+exp,true,file,file.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. -1.9.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.9.0-dev+exp,true,file,file.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. -1.9.0-dev+exp,true,file,file.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE -1.9.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.9.0-dev+exp,true,file,file.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. -1.9.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.9.0-dev+exp,true,file,file.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions -1.9.0-dev+exp,true,file,file.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. -1.9.0-dev+exp,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.9.0-dev+exp,true,file,file.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. -1.9.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.9.0-dev+exp,true,file,file.pe.resources,nested,extended,array,,PE resource information -1.9.0-dev+exp,true,file,file.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. -1.9.0-dev+exp,true,file,file.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. -1.9.0-dev+exp,true,file,file.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. -1.9.0-dev+exp,true,file,file.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. -1.9.0-dev+exp,true,file,file.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. -1.9.0-dev+exp,true,file,file.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. -1.9.0-dev+exp,true,file,file.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. -1.9.0-dev+exp,true,file,file.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE -1.9.0-dev+exp,true,file,file.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. -1.9.0-dev+exp,true,file,file.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. -1.9.0-dev+exp,true,file,file.pe.sections.flags,keyword,extended,,rx,Section flags of the file. -1.9.0-dev+exp,true,file,file.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. -1.9.0-dev+exp,true,file,file.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. -1.9.0-dev+exp,true,file,file.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. -1.9.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes. -1.9.0-dev+exp,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. -1.9.0-dev+exp,true,file,file.target_path.text,text,extended,,,Target path for symlinks. -1.9.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -1.9.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -1.9.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.9.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.9.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.9.0-dev+exp,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.9.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.9.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.9.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.9.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.9.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.9.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.9.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.9.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.9.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.9.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.9.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.9.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.9.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.9.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.9.0-dev+exp,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.9.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.9.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.9.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.9.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.9.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. -1.9.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group. -1.9.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. -1.9.0-dev+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." -1.9.0-dev+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks. -1.9.0-dev+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. -1.9.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. -1.9.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name. -1.9.0-dev+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code. -1.9.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. -1.9.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.9.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name. -1.9.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.9.0-dev+exp,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.9.0-dev+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code. -1.9.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.9.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. -1.9.0-dev+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -1.9.0-dev+exp,true,host,host.hostname,wildcard,core,,,Hostname of the host. -1.9.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id. -1.9.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses. -1.9.0-dev+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. -1.9.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host. -1.9.0-dev+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. -1.9.0-dev+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. -1.9.0-dev+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. -1.9.0-dev+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. -1.9.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.9.0-dev+exp,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.9.0-dev+exp,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.9.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.9.0-dev+exp,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -1.9.0-dev+exp,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.9.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.9.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." -1.9.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.9.0-dev+exp,true,host,host.type,keyword,core,,,Type of host. -1.9.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. -1.9.0-dev+exp,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev+exp,true,host,host.user.email,wildcard,extended,,,User email address. -1.9.0-dev+exp,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev+exp,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev+exp,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev+exp,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev+exp,true,host,host.user.group.name,keyword,extended,,,Name of the group. -1.9.0-dev+exp,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.9.0-dev+exp,true,host,host.user.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev+exp,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. -1.9.0-dev+exp,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. -1.9.0-dev+exp,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.9.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. -1.9.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. -1.9.0-dev+exp,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. -1.9.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). -1.9.0-dev+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID. -1.9.0-dev+exp,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. -1.9.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. -1.9.0-dev+exp,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. -1.9.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. -1.9.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. -1.9.0-dev+exp,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. -1.9.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). -1.9.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. -1.9.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code. -1.9.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version. -1.9.0-dev+exp,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. -1.9.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event. -1.9.0-dev+exp,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. -1.9.0-dev+exp,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. -1.9.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. -1.9.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. -1.9.0-dev+exp,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." -1.9.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata -1.9.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. -1.9.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. -1.9.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. -1.9.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. -1.9.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. -1.9.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name. -1.9.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. -1.9.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. -1.9.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. -1.9.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. -1.9.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. -1.9.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information -1.9.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.9.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.9.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. -1.9.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions. -1.9.0-dev+exp,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. -1.9.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. -1.9.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" -1.9.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.9.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.9.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information -1.9.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias -1.9.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID -1.9.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name -1.9.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.9.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.9.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone -1.9.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. -1.9.0-dev+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code. -1.9.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. -1.9.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.9.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. -1.9.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.9.0-dev+exp,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.9.0-dev+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code. -1.9.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.9.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. -1.9.0-dev+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -1.9.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. -1.9.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information -1.9.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias -1.9.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID -1.9.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name -1.9.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.9.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.9.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone -1.9.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. -1.9.0-dev+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer. -1.9.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. -1.9.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.9.0-dev+exp,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.9.0-dev+exp,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.9.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.9.0-dev+exp,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -1.9.0-dev+exp,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.9.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.9.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." -1.9.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.9.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. -1.9.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. -1.9.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. -1.9.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. -1.9.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version. -1.9.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. -1.9.0-dev+exp,true,organization,organization.name,wildcard,extended,,,Organization name. -1.9.0-dev+exp,true,organization,organization.name.text,text,extended,,,Organization name. -1.9.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. -1.9.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information -1.9.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. -1.9.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. -1.9.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." -1.9.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed. -1.9.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license -1.9.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name -1.9.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. -1.9.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL -1.9.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes. -1.9.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type -1.9.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version -1.9.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -1.9.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. -1.9.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.9.0-dev+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -1.9.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.9.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.9.0-dev+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -1.9.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.9.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.9.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.9.0-dev+exp,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.9.0-dev+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -1.9.0-dev+exp,true,process,process.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file. -1.9.0-dev+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -1.9.0-dev+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date. -1.9.0-dev+exp,true,process,process.elf.exports,flattened,extended,,,List of exported element names and types. -1.9.0-dev+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -1.9.0-dev+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file. -1.9.0-dev+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header. -1.9.0-dev+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -1.9.0-dev+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -1.9.0-dev+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -1.9.0-dev+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file. -1.9.0-dev+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header. -1.9.0-dev+exp,true,process,process.elf.imports,flattened,extended,,,List of imported element names and types. -1.9.0-dev+exp,true,process,process.elf.sections,nested,extended,,,Section information of the ELF file. -1.9.0-dev+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -1.9.0-dev+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -1.9.0-dev+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags. -1.9.0-dev+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name. -1.9.0-dev+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -1.9.0-dev+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -1.9.0-dev+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type. -1.9.0-dev+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -1.9.0-dev+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -1.9.0-dev+exp,true,process,process.elf.segments,nested,extended,,,ELF object segment list. -1.9.0-dev+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections. -1.9.0-dev+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type. -1.9.0-dev+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object -1.9.0-dev+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF files -1.9.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.9.0-dev+exp,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.9.0-dev+exp,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.9.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process. -1.9.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash. -1.9.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. -1.9.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. -1.9.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. -1.9.0-dev+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash. -1.9.0-dev+exp,true,process,process.name,wildcard,extended,,ssh,Process name. -1.9.0-dev+exp,true,process,process.name.text,text,extended,,ssh,Process name. -1.9.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -1.9.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. -1.9.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.9.0-dev+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -1.9.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.9.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.9.0-dev+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -1.9.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.9.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.9.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.9.0-dev+exp,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.9.0-dev+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -1.9.0-dev+exp,true,process,process.parent.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file. -1.9.0-dev+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -1.9.0-dev+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date. -1.9.0-dev+exp,true,process,process.parent.elf.exports,flattened,extended,,,List of exported element names and types. -1.9.0-dev+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -1.9.0-dev+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file. -1.9.0-dev+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header. -1.9.0-dev+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -1.9.0-dev+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -1.9.0-dev+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -1.9.0-dev+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file. -1.9.0-dev+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header. -1.9.0-dev+exp,true,process,process.parent.elf.imports,flattened,extended,,,List of imported element names and types. -1.9.0-dev+exp,true,process,process.parent.elf.sections,nested,extended,,,Section information of the ELF file. -1.9.0-dev+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -1.9.0-dev+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -1.9.0-dev+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags. -1.9.0-dev+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name. -1.9.0-dev+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -1.9.0-dev+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -1.9.0-dev+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type. -1.9.0-dev+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -1.9.0-dev+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -1.9.0-dev+exp,true,process,process.parent.elf.segments,nested,extended,,,ELF object segment list. -1.9.0-dev+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections. -1.9.0-dev+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type. -1.9.0-dev+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object -1.9.0-dev+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF files -1.9.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.9.0-dev+exp,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.9.0-dev+exp,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.9.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. -1.9.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. -1.9.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. -1.9.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. -1.9.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. -1.9.0-dev+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash. -1.9.0-dev+exp,true,process,process.parent.name,wildcard,extended,,ssh,Process name. -1.9.0-dev+exp,true,process,process.parent.name.text,text,extended,,ssh,Process name. -1.9.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.9.0-dev+exp,true,process,process.parent.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. -1.9.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.9.0-dev+exp,true,process,process.parent.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. -1.9.0-dev+exp,true,process,process.parent.pe.compiler.name,keyword,extended,,Clang,Name of the compiler -1.9.0-dev+exp,true,process,process.parent.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. -1.9.0-dev+exp,true,process,process.parent.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. -1.9.0-dev+exp,true,process,process.parent.pe.debug,nested,extended,array,,Debug information -1.9.0-dev+exp,true,process,process.parent.pe.debug.offset,keyword,extended,,1296336,Debug offset information. -1.9.0-dev+exp,true,process,process.parent.pe.debug.size,long,extended,,816,Size of the debug information. -1.9.0-dev+exp,true,process,process.parent.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. -1.9.0-dev+exp,true,process,process.parent.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. -1.9.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.9.0-dev+exp,true,process,process.parent.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. -1.9.0-dev+exp,true,process,process.parent.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE -1.9.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.9.0-dev+exp,true,process,process.parent.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. -1.9.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.9.0-dev+exp,true,process,process.parent.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions -1.9.0-dev+exp,true,process,process.parent.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. -1.9.0-dev+exp,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.9.0-dev+exp,true,process,process.parent.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. -1.9.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.9.0-dev+exp,true,process,process.parent.pe.resources,nested,extended,array,,PE resource information -1.9.0-dev+exp,true,process,process.parent.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. -1.9.0-dev+exp,true,process,process.parent.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. -1.9.0-dev+exp,true,process,process.parent.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. -1.9.0-dev+exp,true,process,process.parent.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. -1.9.0-dev+exp,true,process,process.parent.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. -1.9.0-dev+exp,true,process,process.parent.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. -1.9.0-dev+exp,true,process,process.parent.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. -1.9.0-dev+exp,true,process,process.parent.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE -1.9.0-dev+exp,true,process,process.parent.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. -1.9.0-dev+exp,true,process,process.parent.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. -1.9.0-dev+exp,true,process,process.parent.pe.sections.flags,keyword,extended,,rx,Section flags of the file. -1.9.0-dev+exp,true,process,process.parent.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. -1.9.0-dev+exp,true,process,process.parent.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. -1.9.0-dev+exp,true,process,process.parent.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. -1.9.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -1.9.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id. -1.9.0-dev+exp,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. -1.9.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -1.9.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. -1.9.0-dev+exp,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name. -1.9.0-dev+exp,true,process,process.parent.title,wildcard,extended,,,Process title. -1.9.0-dev+exp,true,process,process.parent.title.text,text,extended,,,Process title. -1.9.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. -1.9.0-dev+exp,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. -1.9.0-dev+exp,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. -1.9.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.9.0-dev+exp,true,process,process.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. -1.9.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.9.0-dev+exp,true,process,process.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. -1.9.0-dev+exp,true,process,process.pe.compiler.name,keyword,extended,,Clang,Name of the compiler -1.9.0-dev+exp,true,process,process.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. -1.9.0-dev+exp,true,process,process.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. -1.9.0-dev+exp,true,process,process.pe.debug,nested,extended,array,,Debug information -1.9.0-dev+exp,true,process,process.pe.debug.offset,keyword,extended,,1296336,Debug offset information. -1.9.0-dev+exp,true,process,process.pe.debug.size,long,extended,,816,Size of the debug information. -1.9.0-dev+exp,true,process,process.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. -1.9.0-dev+exp,true,process,process.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. -1.9.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.9.0-dev+exp,true,process,process.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. -1.9.0-dev+exp,true,process,process.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE -1.9.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.9.0-dev+exp,true,process,process.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. -1.9.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.9.0-dev+exp,true,process,process.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions -1.9.0-dev+exp,true,process,process.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. -1.9.0-dev+exp,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.9.0-dev+exp,true,process,process.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. -1.9.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.9.0-dev+exp,true,process,process.pe.resources,nested,extended,array,,PE resource information -1.9.0-dev+exp,true,process,process.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. -1.9.0-dev+exp,true,process,process.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. -1.9.0-dev+exp,true,process,process.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. -1.9.0-dev+exp,true,process,process.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. -1.9.0-dev+exp,true,process,process.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. -1.9.0-dev+exp,true,process,process.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. -1.9.0-dev+exp,true,process,process.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. -1.9.0-dev+exp,true,process,process.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE -1.9.0-dev+exp,true,process,process.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. -1.9.0-dev+exp,true,process,process.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. -1.9.0-dev+exp,true,process,process.pe.sections.flags,keyword,extended,,rx,Section flags of the file. -1.9.0-dev+exp,true,process,process.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. -1.9.0-dev+exp,true,process,process.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. -1.9.0-dev+exp,true,process,process.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. -1.9.0-dev+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -1.9.0-dev+exp,true,process,process.pid,long,core,,4242,Process id. -1.9.0-dev+exp,true,process,process.ppid,long,extended,,4241,Parent process' pid. -1.9.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -1.9.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID. -1.9.0-dev+exp,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name. -1.9.0-dev+exp,true,process,process.title,wildcard,extended,,,Process title. -1.9.0-dev+exp,true,process,process.title.text,text,extended,,,Process title. -1.9.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. -1.9.0-dev+exp,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. -1.9.0-dev+exp,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. -1.9.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -1.9.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -1.9.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -1.9.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -1.9.0-dev+exp,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -1.9.0-dev+exp,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -1.9.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. -1.9.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. -1.9.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. -1.9.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. -1.9.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names seen on your event. -1.9.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author -1.9.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category -1.9.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description -1.9.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID -1.9.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license -1.9.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name -1.9.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL -1.9.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset -1.9.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID -1.9.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version -1.9.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address. -1.9.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.9.0-dev+exp,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.9.0-dev+exp,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.9.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. -1.9.0-dev+exp,true,server,server.domain,wildcard,core,,,Server domain. -1.9.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name. -1.9.0-dev+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code. -1.9.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. -1.9.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.9.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name. -1.9.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.9.0-dev+exp,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.9.0-dev+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code. -1.9.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.9.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. -1.9.0-dev+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -1.9.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server. -1.9.0-dev+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server. -1.9.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip -1.9.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port -1.9.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client. -1.9.0-dev+exp,true,server,server.port,long,core,,,Port of the server. -1.9.0-dev+exp,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." -1.9.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. -1.9.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.9.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev+exp,true,server,server.user.email,wildcard,extended,,,User email address. -1.9.0-dev+exp,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev+exp,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group. -1.9.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.9.0-dev+exp,true,server,server.user.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev+exp,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. -1.9.0-dev+exp,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. -1.9.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.9.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -1.9.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -1.9.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. -1.9.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. -1.9.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service. -1.9.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service. -1.9.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service. -1.9.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address. -1.9.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.9.0-dev+exp,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.9.0-dev+exp,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.9.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. -1.9.0-dev+exp,true,source,source.domain,wildcard,core,,,Source domain. -1.9.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name. -1.9.0-dev+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code. -1.9.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. -1.9.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.9.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name. -1.9.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.9.0-dev+exp,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.9.0-dev+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code. -1.9.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.9.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. -1.9.0-dev+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -1.9.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source. -1.9.0-dev+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source. -1.9.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip -1.9.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port -1.9.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. -1.9.0-dev+exp,true,source,source.port,long,core,,,Port of the source. -1.9.0-dev+exp,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." -1.9.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. -1.9.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.9.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev+exp,true,source,source.user.email,wildcard,extended,,,User email address. -1.9.0-dev+exp,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev+exp,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group. -1.9.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.9.0-dev+exp,true,source,source.user.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev+exp,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. -1.9.0-dev+exp,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. -1.9.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.9.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. -1.9.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. -1.9.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.9.0-dev+exp,true,threat,threat.indicator.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.9.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.9.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,High,Indicator confidence rating -1.9.0-dev+exp,true,threat,threat.indicator.dataset,keyword,extended,,threatintel.abusemalware,Indicator dataset -1.9.0-dev+exp,true,threat,threat.indicator.description,wildcard,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description -1.9.0-dev+exp,true,threat,threat.indicator.domain,keyword,extended,,example.com,Indicator domain name -1.9.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address -1.9.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed. -1.9.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.9.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.9.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time. -1.9.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. -1.9.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. -1.9.0-dev+exp,true,threat,threat.indicator.file.directory,wildcard,extended,,/home/alice,Directory where the file is located. -1.9.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -1.9.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -1.9.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -1.9.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. -1.9.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -1.9.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -1.9.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. -1.9.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. -1.9.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -1.9.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. -1.9.0-dev+exp,true,threat,threat.indicator.file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.9.0-dev+exp,true,threat,threat.indicator.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.9.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes. -1.9.0-dev+exp,true,threat,threat.indicator.file.target_path,wildcard,extended,,,Target path for symlinks. -1.9.0-dev+exp,true,threat,threat.indicator.file.target_path.text,text,extended,,,Target path for symlinks. -1.9.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -1.9.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -1.9.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. -1.9.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name. -1.9.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code. -1.9.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. -1.9.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.9.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name. -1.9.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.9.0-dev+exp,true,threat,threat.indicator.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.9.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code. -1.9.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.9.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. -1.9.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -1.9.0-dev+exp,true,threat,threat.indicator.hash.md5,keyword,extended,,,MD5 hash. -1.9.0-dev+exp,true,threat,threat.indicator.hash.sha1,keyword,extended,,,SHA1 hash. -1.9.0-dev+exp,true,threat,threat.indicator.hash.sha256,keyword,extended,,,SHA256 hash. -1.9.0-dev+exp,true,threat,threat.indicator.hash.sha512,keyword,extended,,,SHA512 hash. -1.9.0-dev+exp,true,threat,threat.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash. -1.9.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address -1.9.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. -1.9.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking -1.9.0-dev+exp,true,threat,threat.indicator.matched.atomic,keyword,extended,,example.com,Indicator atomic match -1.9.0-dev+exp,true,threat,threat.indicator.matched.field,keyword,extended,,file.hash.sha256,Indicator field match -1.9.0-dev+exp,true,threat,threat.indicator.matched.type,keyword,extended,,domain-name,Indicator type match -1.9.0-dev+exp,true,threat,threat.indicator.module,keyword,extended,,threatintel,Indicator module -1.9.0-dev+exp,true,threat,threat.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.9.0-dev+exp,true,threat,threat.indicator.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. -1.9.0-dev+exp,true,threat,threat.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.9.0-dev+exp,true,threat,threat.indicator.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. -1.9.0-dev+exp,true,threat,threat.indicator.pe.compiler.name,keyword,extended,,Clang,Name of the compiler -1.9.0-dev+exp,true,threat,threat.indicator.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. -1.9.0-dev+exp,true,threat,threat.indicator.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. -1.9.0-dev+exp,true,threat,threat.indicator.pe.debug,nested,extended,array,,Debug information -1.9.0-dev+exp,true,threat,threat.indicator.pe.debug.offset,keyword,extended,,1296336,Debug offset information. -1.9.0-dev+exp,true,threat,threat.indicator.pe.debug.size,long,extended,,816,Size of the debug information. -1.9.0-dev+exp,true,threat,threat.indicator.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. -1.9.0-dev+exp,true,threat,threat.indicator.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. -1.9.0-dev+exp,true,threat,threat.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.9.0-dev+exp,true,threat,threat.indicator.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. -1.9.0-dev+exp,true,threat,threat.indicator.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE -1.9.0-dev+exp,true,threat,threat.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.9.0-dev+exp,true,threat,threat.indicator.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. -1.9.0-dev+exp,true,threat,threat.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.9.0-dev+exp,true,threat,threat.indicator.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions -1.9.0-dev+exp,true,threat,threat.indicator.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. -1.9.0-dev+exp,true,threat,threat.indicator.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.9.0-dev+exp,true,threat,threat.indicator.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. -1.9.0-dev+exp,true,threat,threat.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.9.0-dev+exp,true,threat,threat.indicator.pe.resources,nested,extended,array,,PE resource information -1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. -1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. -1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. -1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. -1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. -1.9.0-dev+exp,true,threat,threat.indicator.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. -1.9.0-dev+exp,true,threat,threat.indicator.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. -1.9.0-dev+exp,true,threat,threat.indicator.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE -1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. -1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. -1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.flags,keyword,extended,,rx,Section flags of the file. -1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. -1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. -1.9.0-dev+exp,true,threat,threat.indicator.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. -1.9.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port -1.9.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,VirusTotal,Identifies the name of the intelligence provider. -1.9.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -1.9.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -1.9.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -1.9.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -1.9.0-dev+exp,true,threat,threat.indicator.registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -1.9.0-dev+exp,true,threat,threat.indicator.registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -1.9.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written. -1.9.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics -1.9.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed -1.9.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator -1.9.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. -1.9.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. -1.9.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. -1.9.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. -1.9.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. -1.9.0-dev+exp,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. -1.9.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. -1.9.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. -1.9.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. -1.9.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. -1.9.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. -1.9.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. -1.9.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. -1.9.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. -1.9.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. -1.9.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. -1.9.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. -1.9.0-dev+exp,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -1.9.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. -1.9.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. -1.9.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. -1.9.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. -1.9.0-dev+exp,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. -1.9.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. -1.9.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.9.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.9.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.9.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.9.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.9.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.9.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.9.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.9.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.9.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.9.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.9.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.9.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.9.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.9.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.9.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.9.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.9.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.9.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.9.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.9.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.9.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.9.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.9.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. -1.9.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." -1.9.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -1.9.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. -1.9.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -1.9.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. -1.9.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. -1.9.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. -1.9.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. -1.9.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. -1.9.0-dev+exp,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. -1.9.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. -1.9.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. -1.9.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. -1.9.0-dev+exp,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. -1.9.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.9.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.9.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.9.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.9.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.9.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.9.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.9.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.9.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.9.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.9.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.9.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.9.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.9.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.9.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.9.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.9.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.9.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.9.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.9.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.9.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.9.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.9.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.9.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. -1.9.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. -1.9.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. -1.9.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. -1.9.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. -1.9.0-dev+exp,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. -1.9.0-dev+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -1.9.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. -1.9.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.9.0-dev+exp,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.9.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.9.0-dev+exp,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.9.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request. -1.9.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -1.9.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443." -1.9.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request. -1.9.0-dev+exp,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -1.9.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url. -1.9.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. -1.9.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.9.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request. -1.9.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev+exp,true,user,user.changes.email,wildcard,extended,,,User email address. -1.9.0-dev+exp,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev+exp,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group. -1.9.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.9.0-dev+exp,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev+exp,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. -1.9.0-dev+exp,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. -1.9.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.9.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev+exp,true,user,user.effective.email,wildcard,extended,,,User email address. -1.9.0-dev+exp,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev+exp,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group. -1.9.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.9.0-dev+exp,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev+exp,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. -1.9.0-dev+exp,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. -1.9.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.9.0-dev+exp,true,user,user.email,wildcard,extended,,,User email address. -1.9.0-dev+exp,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev+exp,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group. -1.9.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.9.0-dev+exp,true,user,user.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev+exp,true,user,user.name,wildcard,core,,albert,Short name or login of the user. -1.9.0-dev+exp,true,user,user.name.text,text,core,,albert,Short name or login of the user. -1.9.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.9.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev+exp,true,user,user.target.email,wildcard,extended,,,User email address. -1.9.0-dev+exp,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev+exp,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group. -1.9.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.9.0-dev+exp,true,user,user.target.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev+exp,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. -1.9.0-dev+exp,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. -1.9.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.9.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. -1.9.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. -1.9.0-dev+exp,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.9.0-dev+exp,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.9.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.9.0-dev+exp,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.9.0-dev+exp,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.9.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.9.0-dev+exp,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -1.9.0-dev+exp,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.9.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.9.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." -1.9.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.9.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. -1.9.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. -1.9.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. -1.9.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -1.9.0-dev+exp,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -1.9.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. -1.9.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. -1.9.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. -1.9.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. -1.9.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. -1.9.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. -1.9.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. -1.9.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. -1.9.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. -1.9.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. +1.9.0+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. +1.9.0+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. +1.9.0+exp,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. +1.9.0+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. +1.9.0+exp,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +1.9.0+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. +1.9.0+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +1.9.0+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +1.9.0+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. +1.9.0+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +1.9.0+exp,true,client,client.address,keyword,extended,,,Client network address. +1.9.0+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.9.0+exp,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.9.0+exp,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.9.0+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. +1.9.0+exp,true,client,client.domain,wildcard,core,,,Client domain. +1.9.0+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +1.9.0+exp,true,client,client.geo.continent_code,keyword,core,,NA,Continent code. +1.9.0+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name. +1.9.0+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0+exp,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0+exp,true,client,client.geo.postal_code,keyword,core,,94040,Postal code. +1.9.0+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0+exp,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +1.9.0+exp,true,client,client.ip,ip,core,,,IP address of the client. +1.9.0+exp,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client. +1.9.0+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address +1.9.0+exp,true,client,client.nat.port,long,extended,,,Client NAT port +1.9.0+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server. +1.9.0+exp,true,client,client.port,long,core,,,Port of the client. +1.9.0+exp,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +1.9.0+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0+exp,true,client,client.user.email,wildcard,extended,,,User email address. +1.9.0+exp,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0+exp,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group. +1.9.0+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0+exp,true,client,client.user.id,keyword,core,,,Unique identifier of the user. +1.9.0+exp,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0+exp,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. +1.9.0+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. +1.9.0+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. +1.9.0+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +1.9.0+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. +1.9.0+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +1.9.0+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. +1.9.0+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. +1.9.0+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. +1.9.0+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. +1.9.0+exp,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name. +1.9.0+exp,true,container,container.id,keyword,core,,,Unique container id. +1.9.0+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. +1.9.0+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags. +1.9.0+exp,true,container,container.labels,object,extended,,,Image labels. +1.9.0+exp,true,container,container.name,keyword,extended,,,Container name. +1.9.0+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. +1.9.0+exp,true,data_stream,data_stream.dataset,constant_keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data. +1.9.0+exp,true,data_stream,data_stream.namespace,constant_keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data. +1.9.0+exp,true,data_stream,data_stream.type,constant_keyword,extended,,logs,An overarching type for the data stream. +1.9.0+exp,true,destination,destination.address,keyword,extended,,,Destination network address. +1.9.0+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.9.0+exp,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.9.0+exp,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.9.0+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. +1.9.0+exp,true,destination,destination.domain,wildcard,core,,,Destination domain. +1.9.0+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +1.9.0+exp,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code. +1.9.0+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. +1.9.0+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0+exp,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0+exp,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code. +1.9.0+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0+exp,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +1.9.0+exp,true,destination,destination.ip,ip,core,,,IP address of the destination. +1.9.0+exp,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination. +1.9.0+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip +1.9.0+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port +1.9.0+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. +1.9.0+exp,true,destination,destination.port,long,core,,,Port of the destination. +1.9.0+exp,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +1.9.0+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0+exp,true,destination,destination.user.email,wildcard,extended,,,User email address. +1.9.0+exp,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0+exp,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. +1.9.0+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0+exp,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. +1.9.0+exp,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0+exp,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +1.9.0+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.9.0+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0+exp,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +1.9.0+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.9.0+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.9.0+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. +1.9.0+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. +1.9.0+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. +1.9.0+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0+exp,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash. +1.9.0+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +1.9.0+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. +1.9.0+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0+exp,true,dll,dll.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. +1.9.0+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0+exp,true,dll,dll.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +1.9.0+exp,true,dll,dll.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +1.9.0+exp,true,dll,dll.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +1.9.0+exp,true,dll,dll.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +1.9.0+exp,true,dll,dll.pe.debug,nested,extended,array,,Debug information +1.9.0+exp,true,dll,dll.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +1.9.0+exp,true,dll,dll.pe.debug.size,long,extended,,816,Size of the debug information. +1.9.0+exp,true,dll,dll.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +1.9.0+exp,true,dll,dll.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. +1.9.0+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0+exp,true,dll,dll.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +1.9.0+exp,true,dll,dll.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE +1.9.0+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0+exp,true,dll,dll.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. +1.9.0+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0+exp,true,dll,dll.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +1.9.0+exp,true,dll,dll.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. +1.9.0+exp,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0+exp,true,dll,dll.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. +1.9.0+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0+exp,true,dll,dll.pe.resources,nested,extended,array,,PE resource information +1.9.0+exp,true,dll,dll.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +1.9.0+exp,true,dll,dll.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +1.9.0+exp,true,dll,dll.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +1.9.0+exp,true,dll,dll.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +1.9.0+exp,true,dll,dll.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +1.9.0+exp,true,dll,dll.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +1.9.0+exp,true,dll,dll.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +1.9.0+exp,true,dll,dll.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +1.9.0+exp,true,dll,dll.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +1.9.0+exp,true,dll,dll.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +1.9.0+exp,true,dll,dll.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +1.9.0+exp,true,dll,dll.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +1.9.0+exp,true,dll,dll.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +1.9.0+exp,true,dll,dll.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. +1.9.0+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers. +1.9.0+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. +1.9.0+exp,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. +1.9.0+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. +1.9.0+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. +1.9.0+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. +1.9.0+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. +1.9.0+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. +1.9.0+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. +1.9.0+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. +1.9.0+exp,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. +1.9.0+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." +1.9.0+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. +1.9.0+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. +1.9.0+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data +1.9.0+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. +1.9.0+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." +1.9.0+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. +1.9.0+exp,true,error,error.code,keyword,core,,,Error code describing the error. +1.9.0+exp,true,error,error.id,keyword,core,,,Unique identifier for the error. +1.9.0+exp,true,error,error.message,text,core,,,Error message. +1.9.0+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. +1.9.0+exp,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. +1.9.0+exp,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +1.9.0+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. +1.9.0+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +1.9.0+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event. +1.9.0+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +1.9.0+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. +1.9.0+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. +1.9.0+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. +1.9.0+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +1.9.0+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +1.9.0+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +1.9.0+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +1.9.0+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. +1.9.0+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +1.9.0+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +1.9.0+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event. +1.9.0+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +1.9.0+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +1.9.0+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +1.9.0+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +1.9.0+exp,true,event,event.sequence,long,extended,,,Sequence number of the event. +1.9.0+exp,true,event,event.severity,long,core,,7,Numeric severity of the event. +1.9.0+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. +1.9.0+exp,true,event,event.timezone,keyword,extended,,,Event time zone. +1.9.0+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +1.9.0+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +1.9.0+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed. +1.9.0+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +1.9.0+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0+exp,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +1.9.0+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.9.0+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0+exp,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +1.9.0+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.9.0+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.9.0+exp,true,file,file.created,date,extended,,,File creation time. +1.9.0+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. +1.9.0+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. +1.9.0+exp,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. +1.9.0+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +1.9.0+exp,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +1.9.0+exp,true,file,file.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file. +1.9.0+exp,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +1.9.0+exp,true,file,file.elf.creation_date,date,extended,,,Build or compile date. +1.9.0+exp,true,file,file.elf.exports,flattened,extended,,,List of exported element names and types. +1.9.0+exp,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +1.9.0+exp,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file. +1.9.0+exp,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header. +1.9.0+exp,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +1.9.0+exp,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +1.9.0+exp,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +1.9.0+exp,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file. +1.9.0+exp,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header. +1.9.0+exp,true,file,file.elf.imports,flattened,extended,,,List of imported element names and types. +1.9.0+exp,true,file,file.elf.sections,nested,extended,,,Section information of the ELF file. +1.9.0+exp,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +1.9.0+exp,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +1.9.0+exp,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +1.9.0+exp,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name. +1.9.0+exp,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +1.9.0+exp,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +1.9.0+exp,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type. +1.9.0+exp,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +1.9.0+exp,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +1.9.0+exp,true,file,file.elf.segments,nested,extended,,,ELF object segment list. +1.9.0+exp,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +1.9.0+exp,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type. +1.9.0+exp,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object +1.9.0+exp,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF files +1.9.0+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +1.9.0+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +1.9.0+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +1.9.0+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash. +1.9.0+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. +1.9.0+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. +1.9.0+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0+exp,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +1.9.0+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +1.9.0+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +1.9.0+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. +1.9.0+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified. +1.9.0+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +1.9.0+exp,true,file,file.owner,keyword,extended,,alice,File owner's username. +1.9.0+exp,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.9.0+exp,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.9.0+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0+exp,true,file,file.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. +1.9.0+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0+exp,true,file,file.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +1.9.0+exp,true,file,file.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +1.9.0+exp,true,file,file.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +1.9.0+exp,true,file,file.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +1.9.0+exp,true,file,file.pe.debug,nested,extended,array,,Debug information +1.9.0+exp,true,file,file.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +1.9.0+exp,true,file,file.pe.debug.size,long,extended,,816,Size of the debug information. +1.9.0+exp,true,file,file.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +1.9.0+exp,true,file,file.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. +1.9.0+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0+exp,true,file,file.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +1.9.0+exp,true,file,file.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE +1.9.0+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0+exp,true,file,file.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. +1.9.0+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0+exp,true,file,file.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +1.9.0+exp,true,file,file.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. +1.9.0+exp,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0+exp,true,file,file.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. +1.9.0+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0+exp,true,file,file.pe.resources,nested,extended,array,,PE resource information +1.9.0+exp,true,file,file.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +1.9.0+exp,true,file,file.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +1.9.0+exp,true,file,file.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +1.9.0+exp,true,file,file.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +1.9.0+exp,true,file,file.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +1.9.0+exp,true,file,file.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +1.9.0+exp,true,file,file.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +1.9.0+exp,true,file,file.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +1.9.0+exp,true,file,file.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +1.9.0+exp,true,file,file.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +1.9.0+exp,true,file,file.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +1.9.0+exp,true,file,file.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +1.9.0+exp,true,file,file.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +1.9.0+exp,true,file,file.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. +1.9.0+exp,true,file,file.size,long,extended,,16384,File size in bytes. +1.9.0+exp,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. +1.9.0+exp,true,file,file.target_path.text,text,extended,,,Target path for symlinks. +1.9.0+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +1.9.0+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +1.9.0+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.9.0+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.9.0+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.9.0+exp,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.9.0+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.9.0+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.9.0+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.9.0+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0+exp,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.9.0+exp,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.9.0+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.9.0+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.9.0+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.9.0+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.9.0+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.9.0+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.9.0+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.9.0+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.9.0+exp,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.9.0+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.9.0+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.9.0+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.9.0+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. +1.9.0+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0+exp,true,group,group.name,keyword,extended,,,Name of the group. +1.9.0+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +1.9.0+exp,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +1.9.0+exp,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +1.9.0+exp,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. +1.9.0+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +1.9.0+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +1.9.0+exp,true,host,host.geo.continent_code,keyword,core,,NA,Continent code. +1.9.0+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name. +1.9.0+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0+exp,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0+exp,true,host,host.geo.postal_code,keyword,core,,94040,Postal code. +1.9.0+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0+exp,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +1.9.0+exp,true,host,host.hostname,wildcard,core,,,Hostname of the host. +1.9.0+exp,true,host,host.id,keyword,core,,,Unique host id. +1.9.0+exp,true,host,host.ip,ip,core,array,,Host ip addresses. +1.9.0+exp,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. +1.9.0+exp,true,host,host.name,keyword,core,,,Name of the host. +1.9.0+exp,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +1.9.0+exp,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. +1.9.0+exp,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +1.9.0+exp,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. +1.9.0+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.9.0+exp,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0+exp,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.9.0+exp,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.9.0+exp,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.9.0+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.9.0+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." +1.9.0+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.9.0+exp,true,host,host.type,keyword,core,,,Type of host. +1.9.0+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. +1.9.0+exp,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0+exp,true,host,host.user.email,wildcard,extended,,,User email address. +1.9.0+exp,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0+exp,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0+exp,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0+exp,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0+exp,true,host,host.user.group.name,keyword,extended,,,Name of the group. +1.9.0+exp,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0+exp,true,host,host.user.id,keyword,core,,,Unique identifier of the user. +1.9.0+exp,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0+exp,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0+exp,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. +1.9.0+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. +1.9.0+exp,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. +1.9.0+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +1.9.0+exp,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID. +1.9.0+exp,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. +1.9.0+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. +1.9.0+exp,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. +1.9.0+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. +1.9.0+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. +1.9.0+exp,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. +1.9.0+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +1.9.0+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. +1.9.0+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code. +1.9.0+exp,true,http,http.version,keyword,extended,,1.1,HTTP version. +1.9.0+exp,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +1.9.0+exp,true,log,log.level,keyword,core,,error,Log level of the log event. +1.9.0+exp,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +1.9.0+exp,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. +1.9.0+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. +1.9.0+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. +1.9.0+exp,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." +1.9.0+exp,true,log,log.syslog,object,extended,,,Syslog metadata +1.9.0+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. +1.9.0+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +1.9.0+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +1.9.0+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. +1.9.0+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +1.9.0+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name. +1.9.0+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. +1.9.0+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. +1.9.0+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. +1.9.0+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. +1.9.0+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. +1.9.0+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information +1.9.0+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.9.0+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.9.0+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. +1.9.0+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions. +1.9.0+exp,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. +1.9.0+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. +1.9.0+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +1.9.0+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.9.0+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.9.0+exp,true,observer,observer.egress,object,extended,,,Object field for egress information +1.9.0+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias +1.9.0+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID +1.9.0+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name +1.9.0+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.9.0+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.9.0+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone +1.9.0+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +1.9.0+exp,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code. +1.9.0+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. +1.9.0+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0+exp,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0+exp,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code. +1.9.0+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0+exp,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +1.9.0+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. +1.9.0+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information +1.9.0+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias +1.9.0+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID +1.9.0+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name +1.9.0+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.9.0+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.9.0+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone +1.9.0+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. +1.9.0+exp,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer. +1.9.0+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +1.9.0+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.9.0+exp,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0+exp,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.9.0+exp,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.9.0+exp,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.9.0+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.9.0+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." +1.9.0+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.9.0+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. +1.9.0+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. +1.9.0+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. +1.9.0+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. +1.9.0+exp,true,observer,observer.version,keyword,core,,,Observer version. +1.9.0+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. +1.9.0+exp,true,organization,organization.name,wildcard,extended,,,Organization name. +1.9.0+exp,true,organization,organization.name.text,text,extended,,,Organization name. +1.9.0+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. +1.9.0+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information +1.9.0+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. +1.9.0+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. +1.9.0+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." +1.9.0+exp,true,package,package.installed,date,extended,,,Time when package was installed. +1.9.0+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license +1.9.0+exp,true,package,package.name,keyword,extended,,go,Package name +1.9.0+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. +1.9.0+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL +1.9.0+exp,true,package,package.size,long,extended,,62231,Package size in bytes. +1.9.0+exp,true,package,package.type,keyword,extended,,rpm,Package type +1.9.0+exp,true,package,package.version,keyword,extended,,1.12.9,Package version +1.9.0+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +1.9.0+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. +1.9.0+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0+exp,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +1.9.0+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.9.0+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0+exp,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +1.9.0+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.9.0+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.9.0+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0+exp,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0+exp,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +1.9.0+exp,true,process,process.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file. +1.9.0+exp,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +1.9.0+exp,true,process,process.elf.creation_date,date,extended,,,Build or compile date. +1.9.0+exp,true,process,process.elf.exports,flattened,extended,,,List of exported element names and types. +1.9.0+exp,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +1.9.0+exp,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file. +1.9.0+exp,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header. +1.9.0+exp,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +1.9.0+exp,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +1.9.0+exp,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +1.9.0+exp,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file. +1.9.0+exp,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header. +1.9.0+exp,true,process,process.elf.imports,flattened,extended,,,List of imported element names and types. +1.9.0+exp,true,process,process.elf.sections,nested,extended,,,Section information of the ELF file. +1.9.0+exp,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +1.9.0+exp,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +1.9.0+exp,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags. +1.9.0+exp,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name. +1.9.0+exp,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +1.9.0+exp,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +1.9.0+exp,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type. +1.9.0+exp,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +1.9.0+exp,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +1.9.0+exp,true,process,process.elf.segments,nested,extended,,,ELF object segment list. +1.9.0+exp,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections. +1.9.0+exp,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type. +1.9.0+exp,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object +1.9.0+exp,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF files +1.9.0+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +1.9.0+exp,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.9.0+exp,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.9.0+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process. +1.9.0+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash. +1.9.0+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. +1.9.0+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. +1.9.0+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0+exp,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash. +1.9.0+exp,true,process,process.name,wildcard,extended,,ssh,Process name. +1.9.0+exp,true,process,process.name.text,text,extended,,ssh,Process name. +1.9.0+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +1.9.0+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +1.9.0+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0+exp,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +1.9.0+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.9.0+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0+exp,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +1.9.0+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.9.0+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.9.0+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0+exp,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0+exp,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +1.9.0+exp,true,process,process.parent.elf.byte_order,keyword,extended,,"Little Endian, Big Endian",Byte sequence of ELF file. +1.9.0+exp,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +1.9.0+exp,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date. +1.9.0+exp,true,process,process.parent.elf.exports,flattened,extended,,,List of exported element names and types. +1.9.0+exp,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +1.9.0+exp,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file. +1.9.0+exp,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header. +1.9.0+exp,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +1.9.0+exp,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +1.9.0+exp,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +1.9.0+exp,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file. +1.9.0+exp,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header. +1.9.0+exp,true,process,process.parent.elf.imports,flattened,extended,,,List of imported element names and types. +1.9.0+exp,true,process,process.parent.elf.sections,nested,extended,,,Section information of the ELF file. +1.9.0+exp,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +1.9.0+exp,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +1.9.0+exp,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags. +1.9.0+exp,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name. +1.9.0+exp,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +1.9.0+exp,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +1.9.0+exp,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type. +1.9.0+exp,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +1.9.0+exp,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +1.9.0+exp,true,process,process.parent.elf.segments,nested,extended,,,ELF object segment list. +1.9.0+exp,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections. +1.9.0+exp,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type. +1.9.0+exp,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object +1.9.0+exp,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF files +1.9.0+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +1.9.0+exp,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.9.0+exp,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.9.0+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. +1.9.0+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. +1.9.0+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. +1.9.0+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. +1.9.0+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0+exp,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash. +1.9.0+exp,true,process,process.parent.name,wildcard,extended,,ssh,Process name. +1.9.0+exp,true,process,process.parent.name.text,text,extended,,ssh,Process name. +1.9.0+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0+exp,true,process,process.parent.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. +1.9.0+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0+exp,true,process,process.parent.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +1.9.0+exp,true,process,process.parent.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +1.9.0+exp,true,process,process.parent.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +1.9.0+exp,true,process,process.parent.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +1.9.0+exp,true,process,process.parent.pe.debug,nested,extended,array,,Debug information +1.9.0+exp,true,process,process.parent.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +1.9.0+exp,true,process,process.parent.pe.debug.size,long,extended,,816,Size of the debug information. +1.9.0+exp,true,process,process.parent.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +1.9.0+exp,true,process,process.parent.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. +1.9.0+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0+exp,true,process,process.parent.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +1.9.0+exp,true,process,process.parent.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE +1.9.0+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0+exp,true,process,process.parent.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. +1.9.0+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0+exp,true,process,process.parent.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +1.9.0+exp,true,process,process.parent.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. +1.9.0+exp,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0+exp,true,process,process.parent.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. +1.9.0+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0+exp,true,process,process.parent.pe.resources,nested,extended,array,,PE resource information +1.9.0+exp,true,process,process.parent.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +1.9.0+exp,true,process,process.parent.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +1.9.0+exp,true,process,process.parent.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +1.9.0+exp,true,process,process.parent.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +1.9.0+exp,true,process,process.parent.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +1.9.0+exp,true,process,process.parent.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +1.9.0+exp,true,process,process.parent.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +1.9.0+exp,true,process,process.parent.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +1.9.0+exp,true,process,process.parent.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +1.9.0+exp,true,process,process.parent.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +1.9.0+exp,true,process,process.parent.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +1.9.0+exp,true,process,process.parent.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +1.9.0+exp,true,process,process.parent.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +1.9.0+exp,true,process,process.parent.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. +1.9.0+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.9.0+exp,true,process,process.parent.pid,long,core,,4242,Process id. +1.9.0+exp,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. +1.9.0+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.9.0+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. +1.9.0+exp,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name. +1.9.0+exp,true,process,process.parent.title,wildcard,extended,,,Process title. +1.9.0+exp,true,process,process.parent.title.text,text,extended,,,Process title. +1.9.0+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. +1.9.0+exp,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +1.9.0+exp,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.9.0+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0+exp,true,process,process.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. +1.9.0+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0+exp,true,process,process.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +1.9.0+exp,true,process,process.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +1.9.0+exp,true,process,process.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +1.9.0+exp,true,process,process.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +1.9.0+exp,true,process,process.pe.debug,nested,extended,array,,Debug information +1.9.0+exp,true,process,process.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +1.9.0+exp,true,process,process.pe.debug.size,long,extended,,816,Size of the debug information. +1.9.0+exp,true,process,process.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +1.9.0+exp,true,process,process.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. +1.9.0+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0+exp,true,process,process.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +1.9.0+exp,true,process,process.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE +1.9.0+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0+exp,true,process,process.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. +1.9.0+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0+exp,true,process,process.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +1.9.0+exp,true,process,process.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. +1.9.0+exp,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0+exp,true,process,process.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. +1.9.0+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0+exp,true,process,process.pe.resources,nested,extended,array,,PE resource information +1.9.0+exp,true,process,process.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +1.9.0+exp,true,process,process.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +1.9.0+exp,true,process,process.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +1.9.0+exp,true,process,process.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +1.9.0+exp,true,process,process.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +1.9.0+exp,true,process,process.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +1.9.0+exp,true,process,process.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +1.9.0+exp,true,process,process.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +1.9.0+exp,true,process,process.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +1.9.0+exp,true,process,process.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +1.9.0+exp,true,process,process.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +1.9.0+exp,true,process,process.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +1.9.0+exp,true,process,process.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +1.9.0+exp,true,process,process.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. +1.9.0+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.9.0+exp,true,process,process.pid,long,core,,4242,Process id. +1.9.0+exp,true,process,process.ppid,long,extended,,4241,Parent process' pid. +1.9.0+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.9.0+exp,true,process,process.thread.id,long,extended,,4242,Thread ID. +1.9.0+exp,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name. +1.9.0+exp,true,process,process.title,wildcard,extended,,,Process title. +1.9.0+exp,true,process,process.title.text,text,extended,,,Process title. +1.9.0+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. +1.9.0+exp,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +1.9.0+exp,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.9.0+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +1.9.0+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.9.0+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +1.9.0+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +1.9.0+exp,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.9.0+exp,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.9.0+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +1.9.0+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. +1.9.0+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. +1.9.0+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. +1.9.0+exp,true,related,related.user,keyword,extended,array,,All the user names seen on your event. +1.9.0+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author +1.9.0+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category +1.9.0+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description +1.9.0+exp,true,rule,rule.id,keyword,extended,,101,Rule ID +1.9.0+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license +1.9.0+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name +1.9.0+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL +1.9.0+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset +1.9.0+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID +1.9.0+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version +1.9.0+exp,true,server,server.address,keyword,extended,,,Server network address. +1.9.0+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.9.0+exp,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.9.0+exp,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.9.0+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. +1.9.0+exp,true,server,server.domain,wildcard,core,,,Server domain. +1.9.0+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +1.9.0+exp,true,server,server.geo.continent_code,keyword,core,,NA,Continent code. +1.9.0+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name. +1.9.0+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0+exp,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0+exp,true,server,server.geo.postal_code,keyword,core,,94040,Postal code. +1.9.0+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0+exp,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +1.9.0+exp,true,server,server.ip,ip,core,,,IP address of the server. +1.9.0+exp,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server. +1.9.0+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip +1.9.0+exp,true,server,server.nat.port,long,extended,,,Server NAT port +1.9.0+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client. +1.9.0+exp,true,server,server.port,long,core,,,Port of the server. +1.9.0+exp,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +1.9.0+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0+exp,true,server,server.user.email,wildcard,extended,,,User email address. +1.9.0+exp,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0+exp,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group. +1.9.0+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0+exp,true,server,server.user.id,keyword,core,,,Unique identifier of the user. +1.9.0+exp,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0+exp,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +1.9.0+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +1.9.0+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. +1.9.0+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. +1.9.0+exp,true,service,service.state,keyword,core,,,Current state of the service. +1.9.0+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service. +1.9.0+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service. +1.9.0+exp,true,source,source.address,keyword,extended,,,Source network address. +1.9.0+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.9.0+exp,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.9.0+exp,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.9.0+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. +1.9.0+exp,true,source,source.domain,wildcard,core,,,Source domain. +1.9.0+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +1.9.0+exp,true,source,source.geo.continent_code,keyword,core,,NA,Continent code. +1.9.0+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name. +1.9.0+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0+exp,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0+exp,true,source,source.geo.postal_code,keyword,core,,94040,Postal code. +1.9.0+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0+exp,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +1.9.0+exp,true,source,source.ip,ip,core,,,IP address of the source. +1.9.0+exp,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source. +1.9.0+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip +1.9.0+exp,true,source,source.nat.port,long,extended,,,Source NAT port +1.9.0+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. +1.9.0+exp,true,source,source.port,long,core,,,Port of the source. +1.9.0+exp,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +1.9.0+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0+exp,true,source,source.user.email,wildcard,extended,,,User email address. +1.9.0+exp,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0+exp,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group. +1.9.0+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0+exp,true,source,source.user.id,keyword,core,,,Unique identifier of the user. +1.9.0+exp,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0+exp,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. +1.9.0+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +1.9.0+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.9.0+exp,true,threat,threat.indicator.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.9.0+exp,true,threat,threat.indicator.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.9.0+exp,true,threat,threat.indicator.confidence,keyword,extended,,High,Indicator confidence rating +1.9.0+exp,true,threat,threat.indicator.dataset,keyword,extended,,threatintel.abusemalware,Indicator dataset +1.9.0+exp,true,threat,threat.indicator.description,wildcard,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description +1.9.0+exp,true,threat,threat.indicator.domain,keyword,extended,,example.com,Indicator domain name +1.9.0+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +1.9.0+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed. +1.9.0+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +1.9.0+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +1.9.0+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.9.0+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +1.9.0+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.9.0+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.9.0+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time. +1.9.0+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +1.9.0+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +1.9.0+exp,true,threat,threat.indicator.file.directory,wildcard,extended,,/home/alice,Directory where the file is located. +1.9.0+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +1.9.0+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +1.9.0+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +1.9.0+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +1.9.0+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +1.9.0+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +1.9.0+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +1.9.0+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. +1.9.0+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +1.9.0+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. +1.9.0+exp,true,threat,threat.indicator.file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.9.0+exp,true,threat,threat.indicator.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.9.0+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes. +1.9.0+exp,true,threat,threat.indicator.file.target_path,wildcard,extended,,,Target path for symlinks. +1.9.0+exp,true,threat,threat.indicator.file.target_path.text,text,extended,,,Target path for symlinks. +1.9.0+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +1.9.0+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +1.9.0+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +1.9.0+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name. +1.9.0+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code. +1.9.0+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name. +1.9.0+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0+exp,true,threat,threat.indicator.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.9.0+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code. +1.9.0+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +1.9.0+exp,true,threat,threat.indicator.hash.md5,keyword,extended,,,MD5 hash. +1.9.0+exp,true,threat,threat.indicator.hash.sha1,keyword,extended,,,SHA1 hash. +1.9.0+exp,true,threat,threat.indicator.hash.sha256,keyword,extended,,,SHA256 hash. +1.9.0+exp,true,threat,threat.indicator.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0+exp,true,threat,threat.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash. +1.9.0+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address +1.9.0+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. +1.9.0+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking +1.9.0+exp,true,threat,threat.indicator.matched.atomic,keyword,extended,,example.com,Indicator atomic match +1.9.0+exp,true,threat,threat.indicator.matched.field,keyword,extended,,file.hash.sha256,Indicator field match +1.9.0+exp,true,threat,threat.indicator.matched.type,keyword,extended,,domain-name,Indicator type match +1.9.0+exp,true,threat,threat.indicator.module,keyword,extended,,threatintel,Indicator module +1.9.0+exp,true,threat,threat.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0+exp,true,threat,threat.indicator.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. +1.9.0+exp,true,threat,threat.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0+exp,true,threat,threat.indicator.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +1.9.0+exp,true,threat,threat.indicator.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +1.9.0+exp,true,threat,threat.indicator.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +1.9.0+exp,true,threat,threat.indicator.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +1.9.0+exp,true,threat,threat.indicator.pe.debug,nested,extended,array,,Debug information +1.9.0+exp,true,threat,threat.indicator.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +1.9.0+exp,true,threat,threat.indicator.pe.debug.size,long,extended,,816,Size of the debug information. +1.9.0+exp,true,threat,threat.indicator.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +1.9.0+exp,true,threat,threat.indicator.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. +1.9.0+exp,true,threat,threat.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0+exp,true,threat,threat.indicator.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +1.9.0+exp,true,threat,threat.indicator.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE +1.9.0+exp,true,threat,threat.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0+exp,true,threat,threat.indicator.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. +1.9.0+exp,true,threat,threat.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0+exp,true,threat,threat.indicator.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +1.9.0+exp,true,threat,threat.indicator.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. +1.9.0+exp,true,threat,threat.indicator.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0+exp,true,threat,threat.indicator.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. +1.9.0+exp,true,threat,threat.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0+exp,true,threat,threat.indicator.pe.resources,nested,extended,array,,PE resource information +1.9.0+exp,true,threat,threat.indicator.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +1.9.0+exp,true,threat,threat.indicator.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +1.9.0+exp,true,threat,threat.indicator.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +1.9.0+exp,true,threat,threat.indicator.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +1.9.0+exp,true,threat,threat.indicator.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +1.9.0+exp,true,threat,threat.indicator.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +1.9.0+exp,true,threat,threat.indicator.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +1.9.0+exp,true,threat,threat.indicator.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +1.9.0+exp,true,threat,threat.indicator.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +1.9.0+exp,true,threat,threat.indicator.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +1.9.0+exp,true,threat,threat.indicator.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +1.9.0+exp,true,threat,threat.indicator.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +1.9.0+exp,true,threat,threat.indicator.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +1.9.0+exp,true,threat,threat.indicator.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. +1.9.0+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port +1.9.0+exp,true,threat,threat.indicator.provider,keyword,extended,,VirusTotal,Identifies the name of the intelligence provider. +1.9.0+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +1.9.0+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.9.0+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +1.9.0+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +1.9.0+exp,true,threat,threat.indicator.registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.9.0+exp,true,threat,threat.indicator.registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.9.0+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written. +1.9.0+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics +1.9.0+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed +1.9.0+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator +1.9.0+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. +1.9.0+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. +1.9.0+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. +1.9.0+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. +1.9.0+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. +1.9.0+exp,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. +1.9.0+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. +1.9.0+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. +1.9.0+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. +1.9.0+exp,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. +1.9.0+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. +1.9.0+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. +1.9.0+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. +1.9.0+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. +1.9.0+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. +1.9.0+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. +1.9.0+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. +1.9.0+exp,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +1.9.0+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. +1.9.0+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. +1.9.0+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. +1.9.0+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. +1.9.0+exp,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +1.9.0+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. +1.9.0+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.9.0+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.9.0+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.9.0+exp,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.9.0+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.9.0+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.9.0+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.9.0+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.9.0+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.9.0+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.9.0+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.9.0+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.9.0+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.9.0+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.9.0+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.9.0+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.9.0+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.9.0+exp,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.9.0+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.9.0+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.9.0+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.9.0+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. +1.9.0+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." +1.9.0+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +1.9.0+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. +1.9.0+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +1.9.0+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. +1.9.0+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. +1.9.0+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. +1.9.0+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. +1.9.0+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. +1.9.0+exp,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +1.9.0+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. +1.9.0+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. +1.9.0+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. +1.9.0+exp,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +1.9.0+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.9.0+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.9.0+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.9.0+exp,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.9.0+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.9.0+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.9.0+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.9.0+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.9.0+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.9.0+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.9.0+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.9.0+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.9.0+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.9.0+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.9.0+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.9.0+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.9.0+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.9.0+exp,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.9.0+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.9.0+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.9.0+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.9.0+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. +1.9.0+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. +1.9.0+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. +1.9.0+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. +1.9.0+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. +1.9.0+exp,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. +1.9.0+exp,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +1.9.0+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. +1.9.0+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.9.0+exp,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.9.0+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.9.0+exp,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.9.0+exp,true,url,url.password,keyword,extended,,,Password of the request. +1.9.0+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +1.9.0+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443." +1.9.0+exp,true,url,url.query,keyword,extended,,,Query string of the request. +1.9.0+exp,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +1.9.0+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +1.9.0+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0+exp,true,url,url.username,keyword,extended,,,Username of the request. +1.9.0+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0+exp,true,user,user.changes.email,wildcard,extended,,,User email address. +1.9.0+exp,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0+exp,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group. +1.9.0+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0+exp,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. +1.9.0+exp,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. +1.9.0+exp,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. +1.9.0+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0+exp,true,user,user.effective.email,wildcard,extended,,,User email address. +1.9.0+exp,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0+exp,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group. +1.9.0+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0+exp,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. +1.9.0+exp,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. +1.9.0+exp,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. +1.9.0+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0+exp,true,user,user.email,wildcard,extended,,,User email address. +1.9.0+exp,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0+exp,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0+exp,true,user,user.group.name,keyword,extended,,,Name of the group. +1.9.0+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0+exp,true,user,user.id,keyword,core,,,Unique identifier of the user. +1.9.0+exp,true,user,user.name,wildcard,core,,albert,Short name or login of the user. +1.9.0+exp,true,user,user.name.text,text,core,,albert,Short name or login of the user. +1.9.0+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0+exp,true,user,user.target.email,wildcard,extended,,,User email address. +1.9.0+exp,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +1.9.0+exp,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group. +1.9.0+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0+exp,true,user,user.target.id,keyword,core,,,Unique identifier of the user. +1.9.0+exp,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. +1.9.0+exp,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. +1.9.0+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. +1.9.0+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. +1.9.0+exp,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.9.0+exp,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.9.0+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.9.0+exp,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0+exp,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.9.0+exp,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +1.9.0+exp,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.9.0+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.9.0+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." +1.9.0+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.9.0+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. +1.9.0+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. +1.9.0+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. +1.9.0+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.9.0+exp,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.9.0+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. +1.9.0+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. +1.9.0+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. +1.9.0+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. +1.9.0+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. +1.9.0+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. +1.9.0+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. +1.9.0+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. +1.9.0+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. +1.9.0+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index ccc3dda09f..cfc5da9ee4 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -4,7 +4,7 @@ ], "mappings": { "_meta": { - "version": "1.9.0-dev+exp" + "version": "1.9.0+exp" }, "date_detection": false, "dynamic_templates": [ diff --git a/experimental/generated/elasticsearch/component/agent.json b/experimental/generated/elasticsearch/component/agent.json index 2ee628913a..f87d76bed3 100644 --- a/experimental/generated/elasticsearch/component/agent.json +++ b/experimental/generated/elasticsearch/component/agent.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/base.json b/experimental/generated/elasticsearch/component/base.json index d02df1ef01..b7db5868a2 100644 --- a/experimental/generated/elasticsearch/component/base.json +++ b/experimental/generated/elasticsearch/component/base.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/client.json b/experimental/generated/elasticsearch/component/client.json index df7ef337a3..eabfd25f03 100644 --- a/experimental/generated/elasticsearch/component/client.json +++ b/experimental/generated/elasticsearch/component/client.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/cloud.json b/experimental/generated/elasticsearch/component/cloud.json index b33d205acc..c3326cf516 100644 --- a/experimental/generated/elasticsearch/component/cloud.json +++ b/experimental/generated/elasticsearch/component/cloud.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/container.json b/experimental/generated/elasticsearch/component/container.json index f8c4f440af..ebbcd24b84 100644 --- a/experimental/generated/elasticsearch/component/container.json +++ b/experimental/generated/elasticsearch/component/container.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/data_stream.json b/experimental/generated/elasticsearch/component/data_stream.json index 3d4d93c586..6246f66460 100644 --- a/experimental/generated/elasticsearch/component/data_stream.json +++ b/experimental/generated/elasticsearch/component/data_stream.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/destination.json b/experimental/generated/elasticsearch/component/destination.json index cff46d3ea5..7714d496cc 100644 --- a/experimental/generated/elasticsearch/component/destination.json +++ b/experimental/generated/elasticsearch/component/destination.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/dll.json b/experimental/generated/elasticsearch/component/dll.json index 73857865a8..56ca839a3b 100644 --- a/experimental/generated/elasticsearch/component/dll.json +++ b/experimental/generated/elasticsearch/component/dll.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/dns.json b/experimental/generated/elasticsearch/component/dns.json index 4b1544f730..5764ea298f 100644 --- a/experimental/generated/elasticsearch/component/dns.json +++ b/experimental/generated/elasticsearch/component/dns.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/ecs.json b/experimental/generated/elasticsearch/component/ecs.json index 201b6c8afa..fe581bdda8 100644 --- a/experimental/generated/elasticsearch/component/ecs.json +++ b/experimental/generated/elasticsearch/component/ecs.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/error.json b/experimental/generated/elasticsearch/component/error.json index 1a78f012f5..d1735bad21 100644 --- a/experimental/generated/elasticsearch/component/error.json +++ b/experimental/generated/elasticsearch/component/error.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/event.json b/experimental/generated/elasticsearch/component/event.json index 023b3609e4..d383de0f1c 100644 --- a/experimental/generated/elasticsearch/component/event.json +++ b/experimental/generated/elasticsearch/component/event.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/file.json b/experimental/generated/elasticsearch/component/file.json index d829ebfd29..ec1a41db7d 100644 --- a/experimental/generated/elasticsearch/component/file.json +++ b/experimental/generated/elasticsearch/component/file.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/group.json b/experimental/generated/elasticsearch/component/group.json index af27bad40e..6160bfd2c7 100644 --- a/experimental/generated/elasticsearch/component/group.json +++ b/experimental/generated/elasticsearch/component/group.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/host.json b/experimental/generated/elasticsearch/component/host.json index 2d503d0b39..ec54426c07 100644 --- a/experimental/generated/elasticsearch/component/host.json +++ b/experimental/generated/elasticsearch/component/host.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/http.json b/experimental/generated/elasticsearch/component/http.json index 3b79b53c86..3e21dbe1d9 100644 --- a/experimental/generated/elasticsearch/component/http.json +++ b/experimental/generated/elasticsearch/component/http.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/log.json b/experimental/generated/elasticsearch/component/log.json index 0781701d8e..053a430d6e 100644 --- a/experimental/generated/elasticsearch/component/log.json +++ b/experimental/generated/elasticsearch/component/log.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/network.json b/experimental/generated/elasticsearch/component/network.json index e77b7b3980..816e0b595e 100644 --- a/experimental/generated/elasticsearch/component/network.json +++ b/experimental/generated/elasticsearch/component/network.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/observer.json b/experimental/generated/elasticsearch/component/observer.json index 6a36b4bbaf..494b2c54ef 100644 --- a/experimental/generated/elasticsearch/component/observer.json +++ b/experimental/generated/elasticsearch/component/observer.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/organization.json b/experimental/generated/elasticsearch/component/organization.json index 00a4d1a501..311ea5f8a8 100644 --- a/experimental/generated/elasticsearch/component/organization.json +++ b/experimental/generated/elasticsearch/component/organization.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/package.json b/experimental/generated/elasticsearch/component/package.json index 12913eecc9..06e7cd054e 100644 --- a/experimental/generated/elasticsearch/component/package.json +++ b/experimental/generated/elasticsearch/component/package.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/process.json b/experimental/generated/elasticsearch/component/process.json index 75adf5c85c..f363d85f62 100644 --- a/experimental/generated/elasticsearch/component/process.json +++ b/experimental/generated/elasticsearch/component/process.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/registry.json b/experimental/generated/elasticsearch/component/registry.json index 1eb688adec..003245e99d 100644 --- a/experimental/generated/elasticsearch/component/registry.json +++ b/experimental/generated/elasticsearch/component/registry.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/related.json b/experimental/generated/elasticsearch/component/related.json index 498b911430..435476ee0d 100644 --- a/experimental/generated/elasticsearch/component/related.json +++ b/experimental/generated/elasticsearch/component/related.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/rule.json b/experimental/generated/elasticsearch/component/rule.json index c93278e7cd..8a79310bab 100644 --- a/experimental/generated/elasticsearch/component/rule.json +++ b/experimental/generated/elasticsearch/component/rule.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/server.json b/experimental/generated/elasticsearch/component/server.json index 6bb1f55c3c..536c1482c7 100644 --- a/experimental/generated/elasticsearch/component/server.json +++ b/experimental/generated/elasticsearch/component/server.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/service.json b/experimental/generated/elasticsearch/component/service.json index e4567b3636..9f6077274c 100644 --- a/experimental/generated/elasticsearch/component/service.json +++ b/experimental/generated/elasticsearch/component/service.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/source.json b/experimental/generated/elasticsearch/component/source.json index 9832312beb..90734dc2dd 100644 --- a/experimental/generated/elasticsearch/component/source.json +++ b/experimental/generated/elasticsearch/component/source.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json index 6c55f638e4..6b0c247094 100644 --- a/experimental/generated/elasticsearch/component/threat.json +++ b/experimental/generated/elasticsearch/component/threat.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/tls.json b/experimental/generated/elasticsearch/component/tls.json index 340e30449a..a75258a276 100644 --- a/experimental/generated/elasticsearch/component/tls.json +++ b/experimental/generated/elasticsearch/component/tls.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/tracing.json b/experimental/generated/elasticsearch/component/tracing.json index 8efefe3463..395dba51dc 100644 --- a/experimental/generated/elasticsearch/component/tracing.json +++ b/experimental/generated/elasticsearch/component/tracing.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/url.json b/experimental/generated/elasticsearch/component/url.json index 29f8ee9338..71aa660c06 100644 --- a/experimental/generated/elasticsearch/component/url.json +++ b/experimental/generated/elasticsearch/component/url.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/user.json b/experimental/generated/elasticsearch/component/user.json index 85fa6d4f9e..299d65a4a2 100644 --- a/experimental/generated/elasticsearch/component/user.json +++ b/experimental/generated/elasticsearch/component/user.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/user_agent.json b/experimental/generated/elasticsearch/component/user_agent.json index a336ce44ed..545014aca1 100644 --- a/experimental/generated/elasticsearch/component/user_agent.json +++ b/experimental/generated/elasticsearch/component/user_agent.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/component/vulnerability.json b/experimental/generated/elasticsearch/component/vulnerability.json index a287339ab1..caa5d2c1a9 100644 --- a/experimental/generated/elasticsearch/component/vulnerability.json +++ b/experimental/generated/elasticsearch/component/vulnerability.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "template": { "mappings": { diff --git a/experimental/generated/elasticsearch/template.json b/experimental/generated/elasticsearch/template.json index f81f6b49dc..5a6f86943c 100644 --- a/experimental/generated/elasticsearch/template.json +++ b/experimental/generated/elasticsearch/template.json @@ -1,44 +1,44 @@ { "_meta": { "description": "Sample composable template that includes all ECS fields", - "ecs_version": "1.9.0-dev+exp" + "ecs_version": "1.9.0+exp" }, "composed_of": [ - "ecs_1.9.0-dev-exp_agent", - "ecs_1.9.0-dev-exp_base", - "ecs_1.9.0-dev-exp_client", - "ecs_1.9.0-dev-exp_cloud", - "ecs_1.9.0-dev-exp_container", - "ecs_1.9.0-dev-exp_destination", - "ecs_1.9.0-dev-exp_dll", - "ecs_1.9.0-dev-exp_dns", - "ecs_1.9.0-dev-exp_ecs", - "ecs_1.9.0-dev-exp_error", - "ecs_1.9.0-dev-exp_event", - "ecs_1.9.0-dev-exp_file", - "ecs_1.9.0-dev-exp_group", - "ecs_1.9.0-dev-exp_host", - "ecs_1.9.0-dev-exp_http", - "ecs_1.9.0-dev-exp_log", - "ecs_1.9.0-dev-exp_network", - "ecs_1.9.0-dev-exp_observer", - "ecs_1.9.0-dev-exp_organization", - "ecs_1.9.0-dev-exp_package", - "ecs_1.9.0-dev-exp_process", - "ecs_1.9.0-dev-exp_registry", - "ecs_1.9.0-dev-exp_related", - "ecs_1.9.0-dev-exp_rule", - "ecs_1.9.0-dev-exp_server", - "ecs_1.9.0-dev-exp_service", - "ecs_1.9.0-dev-exp_source", - "ecs_1.9.0-dev-exp_threat", - "ecs_1.9.0-dev-exp_tls", - "ecs_1.9.0-dev-exp_tracing", - "ecs_1.9.0-dev-exp_url", - "ecs_1.9.0-dev-exp_user", - "ecs_1.9.0-dev-exp_user_agent", - "ecs_1.9.0-dev-exp_vulnerability", - "ecs_1.9.0-dev-exp_data_stream" + "ecs_1.9.0-exp_agent", + "ecs_1.9.0-exp_base", + "ecs_1.9.0-exp_client", + "ecs_1.9.0-exp_cloud", + "ecs_1.9.0-exp_container", + "ecs_1.9.0-exp_destination", + "ecs_1.9.0-exp_dll", + "ecs_1.9.0-exp_dns", + "ecs_1.9.0-exp_ecs", + "ecs_1.9.0-exp_error", + "ecs_1.9.0-exp_event", + "ecs_1.9.0-exp_file", + "ecs_1.9.0-exp_group", + "ecs_1.9.0-exp_host", + "ecs_1.9.0-exp_http", + "ecs_1.9.0-exp_log", + "ecs_1.9.0-exp_network", + "ecs_1.9.0-exp_observer", + "ecs_1.9.0-exp_organization", + "ecs_1.9.0-exp_package", + "ecs_1.9.0-exp_process", + "ecs_1.9.0-exp_registry", + "ecs_1.9.0-exp_related", + "ecs_1.9.0-exp_rule", + "ecs_1.9.0-exp_server", + "ecs_1.9.0-exp_service", + "ecs_1.9.0-exp_source", + "ecs_1.9.0-exp_threat", + "ecs_1.9.0-exp_tls", + "ecs_1.9.0-exp_tracing", + "ecs_1.9.0-exp_url", + "ecs_1.9.0-exp_user", + "ecs_1.9.0-exp_user_agent", + "ecs_1.9.0-exp_vulnerability", + "ecs_1.9.0-exp_data_stream" ], "index_patterns": [ "try-ecs-*" diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 4c51a421e6..5a6093e48d 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 1.9.0-dev. +# based on ECS version 1.9.0. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index ad9d04f737..19a95ab9a3 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -1,763 +1,763 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description -1.9.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. -1.9.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. -1.9.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. -1.9.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. -1.9.0-dev,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. -1.9.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. -1.9.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. -1.9.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. -1.9.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. -1.9.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. -1.9.0-dev,true,client,client.address,keyword,extended,,,Client network address. -1.9.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.9.0-dev,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. -1.9.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.9.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. -1.9.0-dev,true,client,client.domain,keyword,core,,,Client domain. -1.9.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. -1.9.0-dev,true,client,client.geo.continent_code,keyword,core,,NA,Continent code. -1.9.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. -1.9.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.9.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. -1.9.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.9.0-dev,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.9.0-dev,true,client,client.geo.postal_code,keyword,core,,94040,Postal code. -1.9.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.9.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. -1.9.0-dev,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -1.9.0-dev,true,client,client.ip,ip,core,,,IP address of the client. -1.9.0-dev,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client. -1.9.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address -1.9.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port -1.9.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. -1.9.0-dev,true,client,client.port,long,core,,,Port of the client. -1.9.0-dev,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." -1.9.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. -1.9.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.9.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev,true,client,client.user.email,keyword,extended,,,User email address. -1.9.0-dev,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. -1.9.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.9.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev,true,client,client.user.name,keyword,core,,albert,Short name or login of the user. -1.9.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. -1.9.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.9.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. -1.9.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. -1.9.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. -1.9.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -1.9.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. -1.9.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -1.9.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. -1.9.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. -1.9.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. -1.9.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. -1.9.0-dev,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name. -1.9.0-dev,true,container,container.id,keyword,core,,,Unique container id. -1.9.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. -1.9.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. -1.9.0-dev,true,container,container.labels,object,extended,,,Image labels. -1.9.0-dev,true,container,container.name,keyword,extended,,,Container name. -1.9.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. -1.9.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. -1.9.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.9.0-dev,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. -1.9.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.9.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. -1.9.0-dev,true,destination,destination.domain,keyword,core,,,Destination domain. -1.9.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. -1.9.0-dev,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code. -1.9.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. -1.9.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.9.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. -1.9.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.9.0-dev,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.9.0-dev,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code. -1.9.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.9.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. -1.9.0-dev,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -1.9.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. -1.9.0-dev,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination. -1.9.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip -1.9.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port -1.9.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. -1.9.0-dev,true,destination,destination.port,long,core,,,Port of the destination. -1.9.0-dev,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." -1.9.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. -1.9.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.9.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev,true,destination,destination.user.email,keyword,extended,,,User email address. -1.9.0-dev,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. -1.9.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.9.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user. -1.9.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. -1.9.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.9.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.9.0-dev,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -1.9.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.9.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.9.0-dev,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -1.9.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.9.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.9.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. -1.9.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. -1.9.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. -1.9.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. -1.9.0-dev,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash. -1.9.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. -1.9.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. -1.9.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.9.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.9.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.9.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.9.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.9.0-dev,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.9.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.9.0-dev,true,dns,dns.answers,object,extended,array,,Array of DNS answers. -1.9.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. -1.9.0-dev,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. -1.9.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. -1.9.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. -1.9.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. -1.9.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. -1.9.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. -1.9.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. -1.9.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. -1.9.0-dev,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried. -1.9.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." -1.9.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. -1.9.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.9.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. -1.9.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data -1.9.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. -1.9.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." -1.9.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. -1.9.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. -1.9.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. -1.9.0-dev,true,error,error.message,text,core,,,Error message. -1.9.0-dev,false,error,error.stack_trace,keyword,extended,,,The stack trace of this error in plain text. -1.9.0-dev,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. -1.9.0-dev,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." -1.9.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. -1.9.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -1.9.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. -1.9.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -1.9.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. -1.9.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. -1.9.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. -1.9.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -1.9.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -1.9.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -1.9.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -1.9.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. -1.9.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -1.9.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -1.9.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. -1.9.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -1.9.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -1.9.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -1.9.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -1.9.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event. -1.9.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event. -1.9.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. -1.9.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone. -1.9.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -1.9.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -1.9.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. -1.9.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -1.9.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.9.0-dev,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -1.9.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.9.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.9.0-dev,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -1.9.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.9.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.9.0-dev,true,file,file.created,date,extended,,,File creation time. -1.9.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. -1.9.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. -1.9.0-dev,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. -1.9.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -1.9.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -1.9.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -1.9.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. -1.9.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. -1.9.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. -1.9.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. -1.9.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. -1.9.0-dev,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash. -1.9.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -1.9.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -1.9.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. -1.9.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. -1.9.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -1.9.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. -1.9.0-dev,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.9.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.9.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.9.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.9.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.9.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.9.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.9.0-dev,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.9.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.9.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. -1.9.0-dev,true,file,file.target_path,keyword,extended,,,Target path for symlinks. -1.9.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. -1.9.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -1.9.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -1.9.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.9.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.9.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.9.0-dev,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.9.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.9.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.9.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.9.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.9.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.9.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.9.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.9.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.9.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.9.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.9.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.9.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.9.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.9.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.9.0-dev,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.9.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.9.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.9.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.9.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.9.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. -1.9.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev,true,group,group.name,keyword,extended,,,Name of the group. -1.9.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. -1.9.0-dev,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." -1.9.0-dev,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks. -1.9.0-dev,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. -1.9.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. -1.9.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. -1.9.0-dev,true,host,host.geo.continent_code,keyword,core,,NA,Continent code. -1.9.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. -1.9.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.9.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. -1.9.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.9.0-dev,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.9.0-dev,true,host,host.geo.postal_code,keyword,core,,94040,Postal code. -1.9.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.9.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. -1.9.0-dev,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -1.9.0-dev,true,host,host.hostname,keyword,core,,,Hostname of the host. -1.9.0-dev,true,host,host.id,keyword,core,,,Unique host id. -1.9.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. -1.9.0-dev,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. -1.9.0-dev,true,host,host.name,keyword,core,,,Name of the host. -1.9.0-dev,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. -1.9.0-dev,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. -1.9.0-dev,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. -1.9.0-dev,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. -1.9.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.9.0-dev,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.9.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.9.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.9.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -1.9.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.9.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.9.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." -1.9.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.9.0-dev,true,host,host.type,keyword,core,,,Type of host. -1.9.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. -1.9.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev,true,host,host.user.email,keyword,extended,,,User email address. -1.9.0-dev,true,host,host.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group. -1.9.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.9.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev,true,host,host.user.name,keyword,core,,albert,Short name or login of the user. -1.9.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. -1.9.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.9.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. -1.9.0-dev,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body. -1.9.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. -1.9.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). -1.9.0-dev,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID. -1.9.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. -1.9.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. -1.9.0-dev,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. -1.9.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. -1.9.0-dev,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body. -1.9.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. -1.9.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). -1.9.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. -1.9.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. -1.9.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. -1.9.0-dev,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from. -1.9.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. -1.9.0-dev,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. -1.9.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. -1.9.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. -1.9.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. -1.9.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." -1.9.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata -1.9.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. -1.9.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. -1.9.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. -1.9.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. -1.9.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. -1.9.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. -1.9.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. -1.9.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. -1.9.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. -1.9.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. -1.9.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. -1.9.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information -1.9.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.9.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.9.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. -1.9.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions. -1.9.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. -1.9.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. -1.9.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" -1.9.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.9.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.9.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information -1.9.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias -1.9.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID -1.9.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name -1.9.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.9.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.9.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone -1.9.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. -1.9.0-dev,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code. -1.9.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. -1.9.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.9.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. -1.9.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.9.0-dev,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.9.0-dev,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code. -1.9.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.9.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. -1.9.0-dev,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -1.9.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. -1.9.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information -1.9.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias -1.9.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID -1.9.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name -1.9.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -1.9.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -1.9.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone -1.9.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. -1.9.0-dev,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer. -1.9.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. -1.9.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.9.0-dev,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.9.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.9.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.9.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -1.9.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.9.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.9.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." -1.9.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.9.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. -1.9.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. -1.9.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. -1.9.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. -1.9.0-dev,true,observer,observer.version,keyword,core,,,Observer version. -1.9.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. -1.9.0-dev,true,organization,organization.name,keyword,extended,,,Organization name. -1.9.0-dev,true,organization,organization.name.text,text,extended,,,Organization name. -1.9.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. -1.9.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information -1.9.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. -1.9.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. -1.9.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." -1.9.0-dev,true,package,package.installed,date,extended,,,Time when package was installed. -1.9.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license -1.9.0-dev,true,package,package.name,keyword,extended,,go,Package name -1.9.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. -1.9.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL -1.9.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. -1.9.0-dev,true,package,package.type,keyword,extended,,rpm,Package type -1.9.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version -1.9.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -1.9.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. -1.9.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.9.0-dev,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -1.9.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.9.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.9.0-dev,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -1.9.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.9.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.9.0-dev,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.9.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.9.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.9.0-dev,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.9.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.9.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. -1.9.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. -1.9.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. -1.9.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. -1.9.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. -1.9.0-dev,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash. -1.9.0-dev,true,process,process.name,keyword,extended,,ssh,Process name. -1.9.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. -1.9.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -1.9.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. -1.9.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.9.0-dev,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -1.9.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.9.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.9.0-dev,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -1.9.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.9.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.9.0-dev,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.9.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -1.9.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -1.9.0-dev,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.9.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -1.9.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. -1.9.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. -1.9.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. -1.9.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. -1.9.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. -1.9.0-dev,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash. -1.9.0-dev,true,process,process.parent.name,keyword,extended,,ssh,Process name. -1.9.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. -1.9.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.9.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.9.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.9.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.9.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.9.0-dev,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.9.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.9.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -1.9.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. -1.9.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. -1.9.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -1.9.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. -1.9.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. -1.9.0-dev,true,process,process.parent.title,keyword,extended,,,Process title. -1.9.0-dev,true,process,process.parent.title.text,text,extended,,,Process title. -1.9.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. -1.9.0-dev,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. -1.9.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. -1.9.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -1.9.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -1.9.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -1.9.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -1.9.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -1.9.0-dev,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -1.9.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -1.9.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -1.9.0-dev,true,process,process.pid,long,core,,4242,Process id. -1.9.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. -1.9.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -1.9.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. -1.9.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. -1.9.0-dev,true,process,process.title,keyword,extended,,,Process title. -1.9.0-dev,true,process,process.title.text,text,extended,,,Process title. -1.9.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. -1.9.0-dev,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process. -1.9.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. -1.9.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -1.9.0-dev,true,registry,registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -1.9.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -1.9.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -1.9.0-dev,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -1.9.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -1.9.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. -1.9.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. -1.9.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. -1.9.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. -1.9.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event. -1.9.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author -1.9.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category -1.9.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description -1.9.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID -1.9.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license -1.9.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name -1.9.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL -1.9.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset -1.9.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID -1.9.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version -1.9.0-dev,true,server,server.address,keyword,extended,,,Server network address. -1.9.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.9.0-dev,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. -1.9.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.9.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. -1.9.0-dev,true,server,server.domain,keyword,core,,,Server domain. -1.9.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. -1.9.0-dev,true,server,server.geo.continent_code,keyword,core,,NA,Continent code. -1.9.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. -1.9.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.9.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. -1.9.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.9.0-dev,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.9.0-dev,true,server,server.geo.postal_code,keyword,core,,94040,Postal code. -1.9.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.9.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. -1.9.0-dev,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -1.9.0-dev,true,server,server.ip,ip,core,,,IP address of the server. -1.9.0-dev,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server. -1.9.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip -1.9.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port -1.9.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. -1.9.0-dev,true,server,server.port,long,core,,,Port of the server. -1.9.0-dev,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." -1.9.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. -1.9.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.9.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev,true,server,server.user.email,keyword,extended,,,User email address. -1.9.0-dev,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. -1.9.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.9.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev,true,server,server.user.name,keyword,core,,albert,Short name or login of the user. -1.9.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. -1.9.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.9.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -1.9.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -1.9.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. -1.9.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. -1.9.0-dev,true,service,service.state,keyword,core,,,Current state of the service. -1.9.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service. -1.9.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. -1.9.0-dev,true,source,source.address,keyword,extended,,,Source network address. -1.9.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.9.0-dev,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. -1.9.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.9.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. -1.9.0-dev,true,source,source.domain,keyword,core,,,Source domain. -1.9.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. -1.9.0-dev,true,source,source.geo.continent_code,keyword,core,,NA,Continent code. -1.9.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. -1.9.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.9.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. -1.9.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.9.0-dev,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.9.0-dev,true,source,source.geo.postal_code,keyword,core,,94040,Postal code. -1.9.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.9.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. -1.9.0-dev,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -1.9.0-dev,true,source,source.ip,ip,core,,,IP address of the source. -1.9.0-dev,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source. -1.9.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip -1.9.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port -1.9.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. -1.9.0-dev,true,source,source.port,long,core,,,Port of the source. -1.9.0-dev,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." -1.9.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. -1.9.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.9.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev,true,source,source.user.email,keyword,extended,,,User email address. -1.9.0-dev,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. -1.9.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.9.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev,true,source,source.user.name,keyword,core,,albert,Short name or login of the user. -1.9.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. -1.9.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.9.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. -1.9.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. -1.9.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. -1.9.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. -1.9.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. -1.9.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. -1.9.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. -1.9.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. -1.9.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. -1.9.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. -1.9.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. -1.9.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. -1.9.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. -1.9.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. -1.9.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. -1.9.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. -1.9.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. -1.9.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. -1.9.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. -1.9.0-dev,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -1.9.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. -1.9.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. -1.9.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. -1.9.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. -1.9.0-dev,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. -1.9.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. -1.9.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.9.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.9.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.9.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.9.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.9.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.9.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.9.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.9.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.9.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.9.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.9.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.9.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.9.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.9.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.9.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.9.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.9.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.9.0-dev,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.9.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.9.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.9.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.9.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.9.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. -1.9.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." -1.9.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -1.9.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. -1.9.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -1.9.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. -1.9.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. -1.9.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. -1.9.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. -1.9.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. -1.9.0-dev,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. -1.9.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. -1.9.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. -1.9.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. -1.9.0-dev,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. -1.9.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.9.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.9.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.9.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.9.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.9.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.9.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.9.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.9.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.9.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.9.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.9.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.9.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.9.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.9.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.9.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.9.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.9.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.9.0-dev,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.9.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.9.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.9.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.9.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.9.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. -1.9.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. -1.9.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. -1.9.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. -1.9.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. -1.9.0-dev,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. -1.9.0-dev,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -1.9.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. -1.9.0-dev,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.9.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.9.0-dev,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.9.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.9.0-dev,true,url,url.password,keyword,extended,,,Password of the request. -1.9.0-dev,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""." -1.9.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." -1.9.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. -1.9.0-dev,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -1.9.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. -1.9.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. -1.9.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.9.0-dev,true,url,url.username,keyword,extended,,,Username of the request. -1.9.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev,true,user,user.changes.email,keyword,extended,,,User email address. -1.9.0-dev,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group. -1.9.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.9.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev,true,user,user.changes.name,keyword,core,,albert,Short name or login of the user. -1.9.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. -1.9.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.9.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev,true,user,user.effective.email,keyword,extended,,,User email address. -1.9.0-dev,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group. -1.9.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.9.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev,true,user,user.effective.name,keyword,core,,albert,Short name or login of the user. -1.9.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. -1.9.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.9.0-dev,true,user,user.email,keyword,extended,,,User email address. -1.9.0-dev,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. -1.9.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.9.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev,true,user,user.name,keyword,core,,albert,Short name or login of the user. -1.9.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. -1.9.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.9.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. -1.9.0-dev,true,user,user.target.email,keyword,extended,,,User email address. -1.9.0-dev,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -1.9.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. -1.9.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -1.9.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group. -1.9.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -1.9.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user. -1.9.0-dev,true,user,user.target.name,keyword,core,,albert,Short name or login of the user. -1.9.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. -1.9.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -1.9.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. -1.9.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. -1.9.0-dev,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.9.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -1.9.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -1.9.0-dev,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.9.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -1.9.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -1.9.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." -1.9.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -1.9.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -1.9.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." -1.9.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -1.9.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. -1.9.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. -1.9.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. -1.9.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -1.9.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -1.9.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. -1.9.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. -1.9.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. -1.9.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. -1.9.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. -1.9.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. -1.9.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. -1.9.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. -1.9.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. -1.9.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. +1.9.0,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. +1.9.0,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. +1.9.0,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. +1.9.0,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. +1.9.0,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +1.9.0,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. +1.9.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +1.9.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +1.9.0,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. +1.9.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +1.9.0,true,client,client.address,keyword,extended,,,Client network address. +1.9.0,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.9.0,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.9.0,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.9.0,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. +1.9.0,true,client,client.domain,keyword,core,,,Client domain. +1.9.0,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +1.9.0,true,client,client.geo.continent_code,keyword,core,,NA,Continent code. +1.9.0,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0,true,client,client.geo.country_name,keyword,core,,Canada,Country name. +1.9.0,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.9.0,true,client,client.geo.postal_code,keyword,core,,94040,Postal code. +1.9.0,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +1.9.0,true,client,client.ip,ip,core,,,IP address of the client. +1.9.0,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client. +1.9.0,true,client,client.nat.ip,ip,extended,,,Client NAT ip address +1.9.0,true,client,client.nat.port,long,extended,,,Client NAT port +1.9.0,true,client,client.packets,long,core,,12,Packets sent from the client to the server. +1.9.0,true,client,client.port,long,core,,,Port of the client. +1.9.0,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +1.9.0,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0,true,client,client.user.email,keyword,extended,,,User email address. +1.9.0,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.9.0,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0,true,client,client.user.group.name,keyword,extended,,,Name of the group. +1.9.0,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0,true,client,client.user.id,keyword,core,,,Unique identifier of the user. +1.9.0,true,client,client.user.name,keyword,core,,albert,Short name or login of the user. +1.9.0,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. +1.9.0,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. +1.9.0,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. +1.9.0,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +1.9.0,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. +1.9.0,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +1.9.0,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. +1.9.0,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. +1.9.0,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. +1.9.0,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. +1.9.0,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name. +1.9.0,true,container,container.id,keyword,core,,,Unique container id. +1.9.0,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. +1.9.0,true,container,container.image.tag,keyword,extended,array,,Container image tags. +1.9.0,true,container,container.labels,object,extended,,,Image labels. +1.9.0,true,container,container.name,keyword,extended,,,Container name. +1.9.0,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. +1.9.0,true,destination,destination.address,keyword,extended,,,Destination network address. +1.9.0,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.9.0,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.9.0,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.9.0,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. +1.9.0,true,destination,destination.domain,keyword,core,,,Destination domain. +1.9.0,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +1.9.0,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code. +1.9.0,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. +1.9.0,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.9.0,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code. +1.9.0,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +1.9.0,true,destination,destination.ip,ip,core,,,IP address of the destination. +1.9.0,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination. +1.9.0,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip +1.9.0,true,destination,destination.nat.port,long,extended,,,Destination NAT Port +1.9.0,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. +1.9.0,true,destination,destination.port,long,core,,,Port of the destination. +1.9.0,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +1.9.0,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0,true,destination,destination.user.email,keyword,extended,,,User email address. +1.9.0,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.9.0,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. +1.9.0,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. +1.9.0,true,destination,destination.user.name,keyword,core,,albert,Short name or login of the user. +1.9.0,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +1.9.0,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.9.0,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +1.9.0,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.9.0,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.9.0,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. +1.9.0,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. +1.9.0,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. +1.9.0,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash. +1.9.0,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +1.9.0,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. +1.9.0,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0,true,dns,dns.answers,object,extended,array,,Array of DNS answers. +1.9.0,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. +1.9.0,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. +1.9.0,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. +1.9.0,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. +1.9.0,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. +1.9.0,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. +1.9.0,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. +1.9.0,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. +1.9.0,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. +1.9.0,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried. +1.9.0,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." +1.9.0,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. +1.9.0,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. +1.9.0,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data +1.9.0,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. +1.9.0,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." +1.9.0,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. +1.9.0,true,error,error.code,keyword,core,,,Error code describing the error. +1.9.0,true,error,error.id,keyword,core,,,Unique identifier for the error. +1.9.0,true,error,error.message,text,core,,,Error message. +1.9.0,false,error,error.stack_trace,keyword,extended,,,The stack trace of this error in plain text. +1.9.0,false,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. +1.9.0,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +1.9.0,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. +1.9.0,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +1.9.0,true,event,event.code,keyword,extended,,4648,Identification code for this event. +1.9.0,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +1.9.0,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. +1.9.0,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. +1.9.0,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. +1.9.0,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +1.9.0,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +1.9.0,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +1.9.0,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +1.9.0,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. +1.9.0,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +1.9.0,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +1.9.0,true,event,event.provider,keyword,extended,,kernel,Source of the event. +1.9.0,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +1.9.0,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +1.9.0,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +1.9.0,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +1.9.0,true,event,event.sequence,long,extended,,,Sequence number of the event. +1.9.0,true,event,event.severity,long,core,,7,Numeric severity of the event. +1.9.0,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. +1.9.0,true,event,event.timezone,keyword,extended,,,Event time zone. +1.9.0,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +1.9.0,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +1.9.0,true,file,file.accessed,date,extended,,,Last time the file was accessed. +1.9.0,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +1.9.0,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +1.9.0,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.9.0,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +1.9.0,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.9.0,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.9.0,true,file,file.created,date,extended,,,File creation time. +1.9.0,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. +1.9.0,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. +1.9.0,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. +1.9.0,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +1.9.0,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +1.9.0,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +1.9.0,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +1.9.0,true,file,file.hash.md5,keyword,extended,,,MD5 hash. +1.9.0,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. +1.9.0,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. +1.9.0,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +1.9.0,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +1.9.0,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +1.9.0,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. +1.9.0,true,file,file.mtime,date,extended,,,Last time the file content was modified. +1.9.0,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +1.9.0,true,file,file.owner,keyword,extended,,alice,File owner's username. +1.9.0,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.9.0,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.9.0,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0,true,file,file.size,long,extended,,16384,File size in bytes. +1.9.0,true,file,file.target_path,keyword,extended,,,Target path for symlinks. +1.9.0,true,file,file.target_path.text,text,extended,,,Target path for symlinks. +1.9.0,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +1.9.0,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +1.9.0,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.9.0,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.9.0,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.9.0,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.9.0,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.9.0,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.9.0,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.9.0,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.9.0,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.9.0,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.9.0,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.9.0,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.9.0,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.9.0,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.9.0,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.9.0,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.9.0,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.9.0,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.9.0,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.9.0,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.9.0,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.9.0,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. +1.9.0,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0,true,group,group.name,keyword,extended,,,Name of the group. +1.9.0,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +1.9.0,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +1.9.0,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +1.9.0,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. +1.9.0,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +1.9.0,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +1.9.0,true,host,host.geo.continent_code,keyword,core,,NA,Continent code. +1.9.0,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0,true,host,host.geo.country_name,keyword,core,,Canada,Country name. +1.9.0,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.9.0,true,host,host.geo.postal_code,keyword,core,,94040,Postal code. +1.9.0,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +1.9.0,true,host,host.hostname,keyword,core,,,Hostname of the host. +1.9.0,true,host,host.id,keyword,core,,,Unique host id. +1.9.0,true,host,host.ip,ip,core,array,,Host ip addresses. +1.9.0,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. +1.9.0,true,host,host.name,keyword,core,,,Name of the host. +1.9.0,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +1.9.0,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. +1.9.0,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +1.9.0,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. +1.9.0,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.9.0,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.9.0,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +1.9.0,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.9.0,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.9.0,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." +1.9.0,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.9.0,true,host,host.type,keyword,core,,,Type of host. +1.9.0,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. +1.9.0,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0,true,host,host.user.email,keyword,extended,,,User email address. +1.9.0,true,host,host.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.9.0,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0,true,host,host.user.group.name,keyword,extended,,,Name of the group. +1.9.0,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0,true,host,host.user.id,keyword,core,,,Unique identifier of the user. +1.9.0,true,host,host.user.name,keyword,core,,albert,Short name or login of the user. +1.9.0,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. +1.9.0,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body. +1.9.0,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. +1.9.0,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +1.9.0,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID. +1.9.0,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. +1.9.0,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. +1.9.0,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. +1.9.0,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. +1.9.0,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body. +1.9.0,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. +1.9.0,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +1.9.0,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. +1.9.0,true,http,http.response.status_code,long,extended,,404,HTTP response status code. +1.9.0,true,http,http.version,keyword,extended,,1.1,HTTP version. +1.9.0,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +1.9.0,true,log,log.level,keyword,core,,error,Log level of the log event. +1.9.0,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +1.9.0,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. +1.9.0,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. +1.9.0,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. +1.9.0,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." +1.9.0,true,log,log.syslog,object,extended,,,Syslog metadata +1.9.0,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. +1.9.0,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +1.9.0,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +1.9.0,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. +1.9.0,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +1.9.0,true,network,network.application,keyword,extended,,aim,Application level protocol name. +1.9.0,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. +1.9.0,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. +1.9.0,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. +1.9.0,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. +1.9.0,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. +1.9.0,true,network,network.inner,object,extended,,,Inner VLAN tag information +1.9.0,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.9.0,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.9.0,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. +1.9.0,true,network,network.packets,long,core,,24,Total packets transferred in both directions. +1.9.0,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. +1.9.0,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. +1.9.0,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +1.9.0,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.9.0,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.9.0,true,observer,observer.egress,object,extended,,,Object field for egress information +1.9.0,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias +1.9.0,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID +1.9.0,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name +1.9.0,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.9.0,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.9.0,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone +1.9.0,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +1.9.0,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code. +1.9.0,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. +1.9.0,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.9.0,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code. +1.9.0,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +1.9.0,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. +1.9.0,true,observer,observer.ingress,object,extended,,,Object field for ingress information +1.9.0,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias +1.9.0,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID +1.9.0,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name +1.9.0,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +1.9.0,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +1.9.0,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone +1.9.0,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. +1.9.0,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer. +1.9.0,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +1.9.0,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.9.0,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.9.0,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +1.9.0,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.9.0,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.9.0,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." +1.9.0,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.9.0,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. +1.9.0,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. +1.9.0,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. +1.9.0,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. +1.9.0,true,observer,observer.version,keyword,core,,,Observer version. +1.9.0,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. +1.9.0,true,organization,organization.name,keyword,extended,,,Organization name. +1.9.0,true,organization,organization.name.text,text,extended,,,Organization name. +1.9.0,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. +1.9.0,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information +1.9.0,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. +1.9.0,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. +1.9.0,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." +1.9.0,true,package,package.installed,date,extended,,,Time when package was installed. +1.9.0,true,package,package.license,keyword,extended,,Apache License 2.0,Package license +1.9.0,true,package,package.name,keyword,extended,,go,Package name +1.9.0,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. +1.9.0,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL +1.9.0,true,package,package.size,long,extended,,62231,Package size in bytes. +1.9.0,true,package,package.type,keyword,extended,,rpm,Package type +1.9.0,true,package,package.version,keyword,extended,,1.12.9,Package version +1.9.0,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +1.9.0,true,process,process.args_count,long,extended,,4,Length of the process.args array. +1.9.0,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +1.9.0,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.9.0,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +1.9.0,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.9.0,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.9.0,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +1.9.0,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.9.0,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.9.0,true,process,process.exit_code,long,extended,,137,The exit code of the process. +1.9.0,true,process,process.hash.md5,keyword,extended,,,MD5 hash. +1.9.0,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. +1.9.0,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. +1.9.0,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash. +1.9.0,true,process,process.name,keyword,extended,,ssh,Process name. +1.9.0,true,process,process.name.text,text,extended,,ssh,Process name. +1.9.0,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +1.9.0,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +1.9.0,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.9.0,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +1.9.0,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.9.0,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.9.0,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +1.9.0,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.9.0,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.9.0,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +1.9.0,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +1.9.0,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.9.0,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +1.9.0,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. +1.9.0,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. +1.9.0,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. +1.9.0,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. +1.9.0,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +1.9.0,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash. +1.9.0,true,process,process.parent.name,keyword,extended,,ssh,Process name. +1.9.0,true,process,process.parent.name.text,text,extended,,ssh,Process name. +1.9.0,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.9.0,true,process,process.parent.pid,long,core,,4242,Process id. +1.9.0,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. +1.9.0,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.9.0,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. +1.9.0,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. +1.9.0,true,process,process.parent.title,keyword,extended,,,Process title. +1.9.0,true,process,process.parent.title.text,text,extended,,,Process title. +1.9.0,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. +1.9.0,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. +1.9.0,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.9.0,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.9.0,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.9.0,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.9.0,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.9.0,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.9.0,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.9.0,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.9.0,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +1.9.0,true,process,process.pid,long,core,,4242,Process id. +1.9.0,true,process,process.ppid,long,extended,,4241,Parent process' pid. +1.9.0,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +1.9.0,true,process,process.thread.id,long,extended,,4242,Thread ID. +1.9.0,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. +1.9.0,true,process,process.title,keyword,extended,,,Process title. +1.9.0,true,process,process.title.text,text,extended,,,Process title. +1.9.0,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. +1.9.0,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process. +1.9.0,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. +1.9.0,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +1.9.0,true,registry,registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.9.0,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +1.9.0,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +1.9.0,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.9.0,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.9.0,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +1.9.0,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. +1.9.0,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. +1.9.0,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. +1.9.0,true,related,related.user,keyword,extended,array,,All the user names seen on your event. +1.9.0,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author +1.9.0,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category +1.9.0,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description +1.9.0,true,rule,rule.id,keyword,extended,,101,Rule ID +1.9.0,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license +1.9.0,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name +1.9.0,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL +1.9.0,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset +1.9.0,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID +1.9.0,true,rule,rule.version,keyword,extended,,1.1,Rule version +1.9.0,true,server,server.address,keyword,extended,,,Server network address. +1.9.0,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.9.0,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.9.0,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.9.0,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. +1.9.0,true,server,server.domain,keyword,core,,,Server domain. +1.9.0,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +1.9.0,true,server,server.geo.continent_code,keyword,core,,NA,Continent code. +1.9.0,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0,true,server,server.geo.country_name,keyword,core,,Canada,Country name. +1.9.0,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.9.0,true,server,server.geo.postal_code,keyword,core,,94040,Postal code. +1.9.0,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +1.9.0,true,server,server.ip,ip,core,,,IP address of the server. +1.9.0,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server. +1.9.0,true,server,server.nat.ip,ip,extended,,,Server NAT ip +1.9.0,true,server,server.nat.port,long,extended,,,Server NAT port +1.9.0,true,server,server.packets,long,core,,12,Packets sent from the server to the client. +1.9.0,true,server,server.port,long,core,,,Port of the server. +1.9.0,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +1.9.0,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0,true,server,server.user.email,keyword,extended,,,User email address. +1.9.0,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.9.0,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0,true,server,server.user.group.name,keyword,extended,,,Name of the group. +1.9.0,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0,true,server,server.user.id,keyword,core,,,Unique identifier of the user. +1.9.0,true,server,server.user.name,keyword,core,,albert,Short name or login of the user. +1.9.0,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +1.9.0,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +1.9.0,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. +1.9.0,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. +1.9.0,true,service,service.state,keyword,core,,,Current state of the service. +1.9.0,true,service,service.type,keyword,core,,elasticsearch,The type of the service. +1.9.0,true,service,service.version,keyword,core,,3.2.4,Version of the service. +1.9.0,true,source,source.address,keyword,extended,,,Source network address. +1.9.0,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.9.0,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.9.0,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.9.0,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. +1.9.0,true,source,source.domain,keyword,core,,,Source domain. +1.9.0,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +1.9.0,true,source,source.geo.continent_code,keyword,core,,NA,Continent code. +1.9.0,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. +1.9.0,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.9.0,true,source,source.geo.country_name,keyword,core,,Canada,Country name. +1.9.0,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.9.0,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.9.0,true,source,source.geo.postal_code,keyword,core,,94040,Postal code. +1.9.0,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.9.0,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +1.9.0,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +1.9.0,true,source,source.ip,ip,core,,,IP address of the source. +1.9.0,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source. +1.9.0,true,source,source.nat.ip,ip,extended,,,Source NAT ip +1.9.0,true,source,source.nat.port,long,extended,,,Source NAT port +1.9.0,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. +1.9.0,true,source,source.port,long,core,,,Port of the source. +1.9.0,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +1.9.0,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0,true,source,source.user.email,keyword,extended,,,User email address. +1.9.0,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.9.0,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0,true,source,source.user.group.name,keyword,extended,,,Name of the group. +1.9.0,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0,true,source,source.user.id,keyword,core,,,Unique identifier of the user. +1.9.0,true,source,source.user.name,keyword,core,,albert,Short name or login of the user. +1.9.0,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. +1.9.0,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. +1.9.0,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +1.9.0,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. +1.9.0,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. +1.9.0,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. +1.9.0,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. +1.9.0,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. +1.9.0,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. +1.9.0,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. +1.9.0,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. +1.9.0,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. +1.9.0,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. +1.9.0,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. +1.9.0,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. +1.9.0,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. +1.9.0,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. +1.9.0,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. +1.9.0,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. +1.9.0,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. +1.9.0,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +1.9.0,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. +1.9.0,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. +1.9.0,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. +1.9.0,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. +1.9.0,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +1.9.0,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. +1.9.0,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.9.0,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.9.0,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.9.0,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.9.0,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.9.0,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.9.0,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.9.0,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.9.0,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.9.0,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.9.0,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.9.0,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.9.0,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.9.0,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.9.0,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.9.0,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.9.0,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.9.0,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.9.0,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.9.0,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.9.0,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.9.0,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. +1.9.0,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." +1.9.0,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +1.9.0,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. +1.9.0,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +1.9.0,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. +1.9.0,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. +1.9.0,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. +1.9.0,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. +1.9.0,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. +1.9.0,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +1.9.0,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. +1.9.0,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. +1.9.0,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. +1.9.0,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +1.9.0,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.9.0,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.9.0,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.9.0,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.9.0,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.9.0,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.9.0,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.9.0,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.9.0,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.9.0,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.9.0,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.9.0,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.9.0,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.9.0,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.9.0,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.9.0,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.9.0,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.9.0,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.9.0,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.9.0,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.9.0,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.9.0,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.9.0,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. +1.9.0,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. +1.9.0,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. +1.9.0,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. +1.9.0,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. +1.9.0,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. +1.9.0,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +1.9.0,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. +1.9.0,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.9.0,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.9.0,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.9.0,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.9.0,true,url,url.password,keyword,extended,,,Password of the request. +1.9.0,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""." +1.9.0,true,url,url.port,long,extended,,443,"Port of the request, such as 443." +1.9.0,true,url,url.query,keyword,extended,,,Query string of the request. +1.9.0,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +1.9.0,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +1.9.0,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. +1.9.0,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.9.0,true,url,url.username,keyword,extended,,,Username of the request. +1.9.0,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0,true,user,user.changes.email,keyword,extended,,,User email address. +1.9.0,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.9.0,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0,true,user,user.changes.group.name,keyword,extended,,,Name of the group. +1.9.0,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. +1.9.0,true,user,user.changes.name,keyword,core,,albert,Short name or login of the user. +1.9.0,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. +1.9.0,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0,true,user,user.effective.email,keyword,extended,,,User email address. +1.9.0,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.9.0,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0,true,user,user.effective.group.name,keyword,extended,,,Name of the group. +1.9.0,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. +1.9.0,true,user,user.effective.name,keyword,core,,albert,Short name or login of the user. +1.9.0,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. +1.9.0,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0,true,user,user.email,keyword,extended,,,User email address. +1.9.0,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.9.0,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0,true,user,user.group.name,keyword,extended,,,Name of the group. +1.9.0,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0,true,user,user.id,keyword,core,,,Unique identifier of the user. +1.9.0,true,user,user.name,keyword,core,,albert,Short name or login of the user. +1.9.0,true,user,user.name.text,text,core,,albert,Short name or login of the user. +1.9.0,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. +1.9.0,true,user,user.target.email,keyword,extended,,,User email address. +1.9.0,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +1.9.0,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +1.9.0,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. +1.9.0,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +1.9.0,true,user,user.target.group.name,keyword,extended,,,Name of the group. +1.9.0,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +1.9.0,true,user,user.target.id,keyword,core,,,Unique identifier of the user. +1.9.0,true,user,user.target.name,keyword,core,,albert,Short name or login of the user. +1.9.0,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. +1.9.0,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +1.9.0,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. +1.9.0,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. +1.9.0,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.9.0,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +1.9.0,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +1.9.0,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +1.9.0,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +1.9.0,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +1.9.0,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +1.9.0,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +1.9.0,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." +1.9.0,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +1.9.0,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. +1.9.0,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. +1.9.0,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. +1.9.0,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.9.0,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +1.9.0,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. +1.9.0,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. +1.9.0,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. +1.9.0,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. +1.9.0,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. +1.9.0,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. +1.9.0,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. +1.9.0,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. +1.9.0,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. +1.9.0,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 02dc242340..2bb27f4e28 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -5,7 +5,7 @@ "mappings": { "_doc": { "_meta": { - "version": "1.9.0-dev" + "version": "1.9.0" }, "date_detection": false, "dynamic_templates": [ diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 43a7d275c6..b4285d24de 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -4,7 +4,7 @@ ], "mappings": { "_meta": { - "version": "1.9.0-dev" + "version": "1.9.0" }, "date_detection": false, "dynamic_templates": [ diff --git a/generated/elasticsearch/component/agent.json b/generated/elasticsearch/component/agent.json index c2b08b44de..218bb33576 100644 --- a/generated/elasticsearch/component/agent.json +++ b/generated/elasticsearch/component/agent.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/base.json b/generated/elasticsearch/component/base.json index 406ed0981d..65d4bb02a7 100644 --- a/generated/elasticsearch/component/base.json +++ b/generated/elasticsearch/component/base.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/client.json b/generated/elasticsearch/component/client.json index 59e1c4fac5..1c159ce12e 100644 --- a/generated/elasticsearch/component/client.json +++ b/generated/elasticsearch/component/client.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/cloud.json b/generated/elasticsearch/component/cloud.json index f106357123..213fe31dee 100644 --- a/generated/elasticsearch/component/cloud.json +++ b/generated/elasticsearch/component/cloud.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/container.json b/generated/elasticsearch/component/container.json index b7c8e6858e..80b5f22928 100644 --- a/generated/elasticsearch/component/container.json +++ b/generated/elasticsearch/component/container.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/destination.json b/generated/elasticsearch/component/destination.json index d7babcf058..2cca4148d6 100644 --- a/generated/elasticsearch/component/destination.json +++ b/generated/elasticsearch/component/destination.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/dll.json b/generated/elasticsearch/component/dll.json index 29a41ba873..bdb47d8e88 100644 --- a/generated/elasticsearch/component/dll.json +++ b/generated/elasticsearch/component/dll.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/dns.json b/generated/elasticsearch/component/dns.json index a27dd8b739..4db2063beb 100644 --- a/generated/elasticsearch/component/dns.json +++ b/generated/elasticsearch/component/dns.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/ecs.json b/generated/elasticsearch/component/ecs.json index 561892a4ed..70cf6c4dd9 100644 --- a/generated/elasticsearch/component/ecs.json +++ b/generated/elasticsearch/component/ecs.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/error.json b/generated/elasticsearch/component/error.json index 1364cd968c..0a121fd81e 100644 --- a/generated/elasticsearch/component/error.json +++ b/generated/elasticsearch/component/error.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/event.json b/generated/elasticsearch/component/event.json index 06bcdfae66..0ddd788827 100644 --- a/generated/elasticsearch/component/event.json +++ b/generated/elasticsearch/component/event.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/file.json b/generated/elasticsearch/component/file.json index fa355f9f35..9dbae0880e 100644 --- a/generated/elasticsearch/component/file.json +++ b/generated/elasticsearch/component/file.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/group.json b/generated/elasticsearch/component/group.json index 13d6a829a5..7225dc3300 100644 --- a/generated/elasticsearch/component/group.json +++ b/generated/elasticsearch/component/group.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/host.json b/generated/elasticsearch/component/host.json index e4ee59abbc..760e5e1e3c 100644 --- a/generated/elasticsearch/component/host.json +++ b/generated/elasticsearch/component/host.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/http.json b/generated/elasticsearch/component/http.json index daff315854..584bdf853a 100644 --- a/generated/elasticsearch/component/http.json +++ b/generated/elasticsearch/component/http.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/log.json b/generated/elasticsearch/component/log.json index 43bf92832c..452ecd5a14 100644 --- a/generated/elasticsearch/component/log.json +++ b/generated/elasticsearch/component/log.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/network.json b/generated/elasticsearch/component/network.json index bb6d172e07..ba58d4e865 100644 --- a/generated/elasticsearch/component/network.json +++ b/generated/elasticsearch/component/network.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/observer.json b/generated/elasticsearch/component/observer.json index d4be55d415..e8bfd1d513 100644 --- a/generated/elasticsearch/component/observer.json +++ b/generated/elasticsearch/component/observer.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/organization.json b/generated/elasticsearch/component/organization.json index 8d218314ee..daaf888010 100644 --- a/generated/elasticsearch/component/organization.json +++ b/generated/elasticsearch/component/organization.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/package.json b/generated/elasticsearch/component/package.json index ea843e3323..1f5e74675a 100644 --- a/generated/elasticsearch/component/package.json +++ b/generated/elasticsearch/component/package.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/process.json b/generated/elasticsearch/component/process.json index 42f1df4ba3..4585ee8a0a 100644 --- a/generated/elasticsearch/component/process.json +++ b/generated/elasticsearch/component/process.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/registry.json b/generated/elasticsearch/component/registry.json index c7daf11d16..17e0bd9c24 100644 --- a/generated/elasticsearch/component/registry.json +++ b/generated/elasticsearch/component/registry.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/related.json b/generated/elasticsearch/component/related.json index 0afe5810bd..a049f8a620 100644 --- a/generated/elasticsearch/component/related.json +++ b/generated/elasticsearch/component/related.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/rule.json b/generated/elasticsearch/component/rule.json index 65dfd9b1c2..fb90cfda88 100644 --- a/generated/elasticsearch/component/rule.json +++ b/generated/elasticsearch/component/rule.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/server.json b/generated/elasticsearch/component/server.json index d824559d6c..ed76a06082 100644 --- a/generated/elasticsearch/component/server.json +++ b/generated/elasticsearch/component/server.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/service.json b/generated/elasticsearch/component/service.json index 2d9d66dfe2..7a2d6f94c3 100644 --- a/generated/elasticsearch/component/service.json +++ b/generated/elasticsearch/component/service.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/source.json b/generated/elasticsearch/component/source.json index d6b6bd2048..a7c54e0c74 100644 --- a/generated/elasticsearch/component/source.json +++ b/generated/elasticsearch/component/source.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/threat.json b/generated/elasticsearch/component/threat.json index cdd6f904b5..ac9e924ade 100644 --- a/generated/elasticsearch/component/threat.json +++ b/generated/elasticsearch/component/threat.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/tls.json b/generated/elasticsearch/component/tls.json index 4621cedde0..d7e2538b35 100644 --- a/generated/elasticsearch/component/tls.json +++ b/generated/elasticsearch/component/tls.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/tracing.json b/generated/elasticsearch/component/tracing.json index 12ad11e6fa..266cfd06cc 100644 --- a/generated/elasticsearch/component/tracing.json +++ b/generated/elasticsearch/component/tracing.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/url.json b/generated/elasticsearch/component/url.json index 8b7b56aa0d..b15cfae528 100644 --- a/generated/elasticsearch/component/url.json +++ b/generated/elasticsearch/component/url.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/user.json b/generated/elasticsearch/component/user.json index af3bc6bf2f..62829ab8f0 100644 --- a/generated/elasticsearch/component/user.json +++ b/generated/elasticsearch/component/user.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/user_agent.json b/generated/elasticsearch/component/user_agent.json index be9177da45..63ae4e5a95 100644 --- a/generated/elasticsearch/component/user_agent.json +++ b/generated/elasticsearch/component/user_agent.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/component/vulnerability.json b/generated/elasticsearch/component/vulnerability.json index 9de1f1b4e6..01c0415bd0 100644 --- a/generated/elasticsearch/component/vulnerability.json +++ b/generated/elasticsearch/component/vulnerability.json @@ -1,7 +1,7 @@ { "_meta": { "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "template": { "mappings": { diff --git a/generated/elasticsearch/template.json b/generated/elasticsearch/template.json index 9444d33b52..b08ff9eccf 100644 --- a/generated/elasticsearch/template.json +++ b/generated/elasticsearch/template.json @@ -1,43 +1,43 @@ { "_meta": { "description": "Sample composable template that includes all ECS fields", - "ecs_version": "1.9.0-dev" + "ecs_version": "1.9.0" }, "composed_of": [ - "ecs_1.9.0-dev_agent", - "ecs_1.9.0-dev_base", - "ecs_1.9.0-dev_client", - "ecs_1.9.0-dev_cloud", - "ecs_1.9.0-dev_container", - "ecs_1.9.0-dev_destination", - "ecs_1.9.0-dev_dll", - "ecs_1.9.0-dev_dns", - "ecs_1.9.0-dev_ecs", - "ecs_1.9.0-dev_error", - "ecs_1.9.0-dev_event", - "ecs_1.9.0-dev_file", - "ecs_1.9.0-dev_group", - "ecs_1.9.0-dev_host", - "ecs_1.9.0-dev_http", - "ecs_1.9.0-dev_log", - "ecs_1.9.0-dev_network", - "ecs_1.9.0-dev_observer", - "ecs_1.9.0-dev_organization", - "ecs_1.9.0-dev_package", - "ecs_1.9.0-dev_process", - "ecs_1.9.0-dev_registry", - "ecs_1.9.0-dev_related", - "ecs_1.9.0-dev_rule", - "ecs_1.9.0-dev_server", - "ecs_1.9.0-dev_service", - "ecs_1.9.0-dev_source", - "ecs_1.9.0-dev_threat", - "ecs_1.9.0-dev_tls", - "ecs_1.9.0-dev_tracing", - "ecs_1.9.0-dev_url", - "ecs_1.9.0-dev_user", - "ecs_1.9.0-dev_user_agent", - "ecs_1.9.0-dev_vulnerability" + "ecs_1.9.0_agent", + "ecs_1.9.0_base", + "ecs_1.9.0_client", + "ecs_1.9.0_cloud", + "ecs_1.9.0_container", + "ecs_1.9.0_destination", + "ecs_1.9.0_dll", + "ecs_1.9.0_dns", + "ecs_1.9.0_ecs", + "ecs_1.9.0_error", + "ecs_1.9.0_event", + "ecs_1.9.0_file", + "ecs_1.9.0_group", + "ecs_1.9.0_host", + "ecs_1.9.0_http", + "ecs_1.9.0_log", + "ecs_1.9.0_network", + "ecs_1.9.0_observer", + "ecs_1.9.0_organization", + "ecs_1.9.0_package", + "ecs_1.9.0_process", + "ecs_1.9.0_registry", + "ecs_1.9.0_related", + "ecs_1.9.0_rule", + "ecs_1.9.0_server", + "ecs_1.9.0_service", + "ecs_1.9.0_source", + "ecs_1.9.0_threat", + "ecs_1.9.0_tls", + "ecs_1.9.0_tracing", + "ecs_1.9.0_url", + "ecs_1.9.0_user", + "ecs_1.9.0_user_agent", + "ecs_1.9.0_vulnerability" ], "index_patterns": [ "try-ecs-*" diff --git a/version b/version index b57588e592..f8e233b273 100644 --- a/version +++ b/version @@ -1 +1 @@ -1.9.0-dev +1.9.0