From fe5d8235555381d18c800bea7302cfcd205d7176 Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Tue, 20 Apr 2021 13:56:13 -0500 Subject: [PATCH 1/5] Make script dynamic on our BEATS_VERSION constant --- .../scripts/beat_docs/build.js | 31 +++++++++---------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/x-pack/plugins/security_solution/scripts/beat_docs/build.js b/x-pack/plugins/security_solution/scripts/beat_docs/build.js index 15b1ec7c84d81..ec10ff1a26ac9 100644 --- a/x-pack/plugins/security_solution/scripts/beat_docs/build.js +++ b/x-pack/plugins/security_solution/scripts/beat_docs/build.js @@ -26,35 +26,32 @@ const zlib = require('zlib'); const OUTPUT_DIRECTORY = resolve('scripts', 'beat_docs'); const OUTPUT_SERVER_DIRECTORY = resolve('server', 'utils', 'beat_schema'); +const BEATS_VERSION = '7.9.0'; const beats = [ { - filePath: `${OUTPUT_DIRECTORY}/auditbeat-7.9.0-darwin-x86_64.tar.gz`, + filePath: `${OUTPUT_DIRECTORY}/auditbeat-${BEATS_VERSION}-darwin-x86_64.tar.gz`, index: 'auditbeat-*', - outputDir: `${OUTPUT_DIRECTORY}/auditbeat-7.9.0-darwin-x86_64`, - url: - 'https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-7.9.0-darwin-x86_64.tar.gz', + outputDir: `${OUTPUT_DIRECTORY}/auditbeat-${BEATS_VERSION}-darwin-x86_64`, + url: `https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-${BEATS_VERSION}-darwin-x86_64.tar.gz`, }, { - filePath: `${OUTPUT_DIRECTORY}/filebeat-7.9.0-darwin-x86_64.tar.gz`, + filePath: `${OUTPUT_DIRECTORY}/filebeat-${BEATS_VERSION}-darwin-x86_64.tar.gz`, index: 'filebeat-*', - outputDir: `${OUTPUT_DIRECTORY}/filebeat-7.9.0-darwin-x86_64`, - url: - 'https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.9.0-darwin-x86_64.tar.gz', + outputDir: `${OUTPUT_DIRECTORY}/filebeat-${BEATS_VERSION}-darwin-x86_64`, + url: `https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${BEATS_VERSION}-darwin-x86_64.tar.gz`, }, { - filePath: `${OUTPUT_DIRECTORY}/packetbeat-7.9.0-darwin-x86_64.tar.gz`, + filePath: `${OUTPUT_DIRECTORY}/packetbeat-${BEATS_VERSION}-darwin-x86_64.tar.gz`, index: 'packetbeat-*', - outputDir: `${OUTPUT_DIRECTORY}/packetbeat-7.9.0-darwin-x86_64`, - url: - 'https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-7.9.0-darwin-x86_64.tar.gz', + outputDir: `${OUTPUT_DIRECTORY}/packetbeat-${BEATS_VERSION}-darwin-x86_64`, + url: `https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-${BEATS_VERSION}-darwin-x86_64.tar.gz`, }, { - filePath: `${OUTPUT_DIRECTORY}/winlogbeat-7.9.0-windows-x86_64.zip`, + filePath: `${OUTPUT_DIRECTORY}/winlogbeat-${BEATS_VERSION}-windows-x86_64.zip`, index: 'winlogbeat-*', outputDir: `${OUTPUT_DIRECTORY}`, - url: - 'https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.9.0-windows-x86_64.zip', + url: `https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-${BEATS_VERSION}-windows-x86_64.zip`, }, ]; @@ -141,13 +138,13 @@ const manageZipFields = async (beat, filePath, beatFields) => { await extract(filePath, { dir: beat.outputDir }); console.log('building fields', beat.index); const obj = yaml.load( - fs.readFileSync(`${beat.outputDir}/winlogbeat-7.9.0-windows-x86_64/fields.yml`, { + fs.readFileSync(`${beat.outputDir}/winlogbeat-${BEATS_VERSION}-windows-x86_64/fields.yml`, { encoding: 'utf-8', }) ); const eBeatFields = convertSchemaToHash(obj, beatFields); console.log('deleting files', beat.index); - rimraf.sync(`${beat.outputDir}/winlogbeat-7.9.0-windows-x86_64`); + rimraf.sync(`${beat.outputDir}/winlogbeat-${BEATS_VERSION}-windows-x86_64`); rimraf.sync(beat.filePath); return eBeatFields; From 7bb82ac11cea9e4ad2ab0be57c5b422a520c420a Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Tue, 20 Apr 2021 13:56:30 -0500 Subject: [PATCH 2/5] Update hardcoded file path in script --- x-pack/plugins/security_solution/scripts/beat_docs/build.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/scripts/beat_docs/build.js b/x-pack/plugins/security_solution/scripts/beat_docs/build.js index ec10ff1a26ac9..4a2bc9b21c66c 100644 --- a/x-pack/plugins/security_solution/scripts/beat_docs/build.js +++ b/x-pack/plugins/security_solution/scripts/beat_docs/build.js @@ -218,7 +218,7 @@ async function main() { * 2.0. */ - import { BeatFields } from '../../../common/search_strategy/security_solution/beat_fields'; + import { BeatFields } from '../../../common/search_strategy/index_fields'; /* eslint-disable @typescript-eslint/naming-convention */ export const fieldsBeat: BeatFields = From 804d8f4e55d47f9ccb8c8577f7fcb8f361c2043a Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Tue, 20 Apr 2021 13:57:03 -0500 Subject: [PATCH 3/5] Update fields with 7.12.0 beats --- .../server/utils/beat_schema/fields.ts | 7657 +++++++++++++++-- 1 file changed, 6938 insertions(+), 719 deletions(-) diff --git a/x-pack/plugins/security_solution/server/utils/beat_schema/fields.ts b/x-pack/plugins/security_solution/server/utils/beat_schema/fields.ts index 4f1dc0079b236..e308c8866c9d3 100644 --- a/x-pack/plugins/security_solution/server/utils/beat_schema/fields.ts +++ b/x-pack/plugins/security_solution/server/utils/beat_schema/fields.ts @@ -55,6 +55,15 @@ export const fieldsBeat: BeatFields = { name: 'tags', type: 'keyword', }, + 'agent.build.original': { + category: 'agent', + description: + 'Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required.', + example: + 'metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]', + name: 'agent.build.original', + type: 'keyword', + }, 'agent.ephemeral_id': { category: 'agent', description: @@ -82,7 +91,7 @@ export const fieldsBeat: BeatFields = { 'agent.type': { category: 'agent', description: - 'Type of the agent. The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.', + 'Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.', example: 'filebeat', name: 'agent.type', type: 'keyword', @@ -204,7 +213,7 @@ export const fieldsBeat: BeatFields = { }, 'client.ip': { category: 'client', - description: 'IP address of the client. Can be one or multiple IPv4 or IPv6 addresses.', + description: 'IP address of the client (IPv4 or IPv6).', name: 'client.ip', type: 'ip', }, @@ -246,15 +255,23 @@ export const fieldsBeat: BeatFields = { 'client.registered_domain': { category: 'client', description: - 'The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', - example: 'google.com', + 'The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', name: 'client.registered_domain', type: 'keyword', }, + 'client.subdomain': { + category: 'client', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + name: 'client.subdomain', + type: 'keyword', + }, 'client.top_level_domain': { category: 'client', description: - 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', example: 'co.uk', name: 'client.top_level_domain', type: 'keyword', @@ -307,7 +324,7 @@ export const fieldsBeat: BeatFields = { }, 'client.user.id': { category: 'client', - description: 'Unique identifiers of the user.', + description: 'Unique identifier of the user.', name: 'client.user.id', type: 'keyword', }, @@ -318,6 +335,13 @@ export const fieldsBeat: BeatFields = { name: 'client.user.name', type: 'keyword', }, + 'client.user.roles': { + category: 'client', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + name: 'client.user.roles', + type: 'keyword', + }, 'cloud.account.id': { category: 'cloud', description: @@ -326,6 +350,14 @@ export const fieldsBeat: BeatFields = { name: 'cloud.account.id', type: 'keyword', }, + 'cloud.account.name': { + category: 'cloud', + description: + 'The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name.', + example: 'elastic-dev', + name: 'cloud.account.name', + type: 'keyword', + }, 'cloud.availability_zone': { category: 'cloud', description: 'Availability zone in which this host is running.', @@ -353,6 +385,21 @@ export const fieldsBeat: BeatFields = { name: 'cloud.machine.type', type: 'keyword', }, + 'cloud.project.id': { + category: 'cloud', + description: + 'The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.', + example: 'my-project', + name: 'cloud.project.id', + type: 'keyword', + }, + 'cloud.project.name': { + category: 'cloud', + description: 'The cloud project name. Examples: Google Cloud Project name, Azure Project name.', + example: 'my project', + name: 'cloud.project.name', + type: 'keyword', + }, 'cloud.provider': { category: 'cloud', description: 'Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.', @@ -537,7 +584,7 @@ export const fieldsBeat: BeatFields = { }, 'destination.ip': { category: 'destination', - description: 'IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.', + description: 'IP address of the destination (IPv4 or IPv6).', name: 'destination.ip', type: 'ip', }, @@ -579,15 +626,23 @@ export const fieldsBeat: BeatFields = { 'destination.registered_domain': { category: 'destination', description: - 'The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', - example: 'google.com', + 'The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', name: 'destination.registered_domain', type: 'keyword', }, + 'destination.subdomain': { + category: 'destination', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + name: 'destination.subdomain', + type: 'keyword', + }, 'destination.top_level_domain': { category: 'destination', description: - 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', example: 'co.uk', name: 'destination.top_level_domain', type: 'keyword', @@ -640,7 +695,7 @@ export const fieldsBeat: BeatFields = { }, 'destination.user.id': { category: 'destination', - description: 'Unique identifiers of the user.', + description: 'Unique identifier of the user.', name: 'destination.user.id', type: 'keyword', }, @@ -651,6 +706,13 @@ export const fieldsBeat: BeatFields = { name: 'destination.user.name', type: 'keyword', }, + 'destination.user.roles': { + category: 'destination', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + name: 'destination.user.roles', + type: 'keyword', + }, 'dll.code_signature.exists': { category: 'dll', description: 'Boolean to capture if a signature is present.', @@ -727,6 +789,13 @@ export const fieldsBeat: BeatFields = { name: 'dll.path', type: 'keyword', }, + 'dll.pe.architecture': { + category: 'dll', + description: 'CPU architecture target for the file.', + example: 'x64', + name: 'dll.pe.architecture', + type: 'keyword', + }, 'dll.pe.company': { category: 'dll', description: 'Internal company name of the file, provided at compile-time.', @@ -748,6 +817,14 @@ export const fieldsBeat: BeatFields = { name: 'dll.pe.file_version', type: 'keyword', }, + 'dll.pe.imphash': { + category: 'dll', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + name: 'dll.pe.imphash', + type: 'keyword', + }, 'dll.pe.original_file_name': { category: 'dll', description: 'Internal name of the file, provided at compile-time.', @@ -788,7 +865,7 @@ export const fieldsBeat: BeatFields = { category: 'dns', description: "The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated.", - example: 'www.google.com', + example: 'www.example.com', name: 'dns.answers.name', type: 'keyword', }, @@ -811,7 +888,7 @@ export const fieldsBeat: BeatFields = { category: 'dns', description: 'Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO.', - example: '["RD","RA"]', + example: '["RD", "RA"]', name: 'dns.header_flags', type: 'keyword', }, @@ -842,15 +919,15 @@ export const fieldsBeat: BeatFields = { category: 'dns', description: 'The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \\t, \\r, and \\n respectively.', - example: 'www.google.com', + example: 'www.example.com', name: 'dns.question.name', type: 'keyword', }, 'dns.question.registered_domain': { category: 'dns', description: - 'The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', - example: 'google.com', + 'The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', name: 'dns.question.registered_domain', type: 'keyword', }, @@ -865,7 +942,7 @@ export const fieldsBeat: BeatFields = { 'dns.question.top_level_domain': { category: 'dns', description: - 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', example: 'co.uk', name: 'dns.question.top_level_domain', type: 'keyword', @@ -881,7 +958,7 @@ export const fieldsBeat: BeatFields = { category: 'dns', description: 'Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.', - example: '["10.10.10.10","10.10.10.11"]', + example: '["10.10.10.10", "10.10.10.11"]', name: 'dns.resolved_ip', type: 'ip', }, @@ -1036,7 +1113,7 @@ export const fieldsBeat: BeatFields = { 'event.original': { category: 'event', description: - 'Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`.', + 'Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, consider using the wildcard data type.', example: 'Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232', name: 'event.original', @@ -1058,11 +1135,19 @@ export const fieldsBeat: BeatFields = { name: 'event.provider', type: 'keyword', }, + 'event.reason': { + category: 'event', + description: + 'Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).', + example: 'Terminated an unexpected process', + name: 'event.reason', + type: 'keyword', + }, 'event.reference': { category: 'event', description: - 'Reference URL linking to additional information about this event. This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.', - example: 'https://system.vendor.com/event/#0001234', + 'Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.', + example: 'https://system.example.com/event/#0001234', name: 'event.reference', type: 'keyword', }, @@ -1121,8 +1206,8 @@ export const fieldsBeat: BeatFields = { 'event.url': { category: 'event', description: - 'URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.', - example: 'https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe', + 'URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.', + example: 'https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe', name: 'event.url', type: 'keyword', }, @@ -1217,7 +1302,8 @@ export const fieldsBeat: BeatFields = { }, 'file.extension': { category: 'file', - description: 'File extension.', + description: + 'File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', example: 'png', name: 'file.extension', type: 'keyword', @@ -1309,6 +1395,13 @@ export const fieldsBeat: BeatFields = { name: 'file.path', type: 'keyword', }, + 'file.pe.architecture': { + category: 'file', + description: 'CPU architecture target for the file.', + example: 'x64', + name: 'file.pe.architecture', + type: 'keyword', + }, 'file.pe.company': { category: 'file', description: 'Internal company name of the file, provided at compile-time.', @@ -1330,6 +1423,14 @@ export const fieldsBeat: BeatFields = { name: 'file.pe.file_version', type: 'keyword', }, + 'file.pe.imphash': { + category: 'file', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + name: 'file.pe.imphash', + type: 'keyword', + }, 'file.pe.original_file_name': { category: 'file', description: 'Internal name of the file, provided at compile-time.', @@ -1371,6 +1472,177 @@ export const fieldsBeat: BeatFields = { name: 'file.uid', type: 'keyword', }, + 'file.x509.alternative_names': { + category: 'file', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + name: 'file.x509.alternative_names', + type: 'keyword', + }, + 'file.x509.issuer.common_name': { + category: 'file', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + name: 'file.x509.issuer.common_name', + type: 'keyword', + }, + 'file.x509.issuer.country': { + category: 'file', + description: 'List of country (C) codes', + example: 'US', + name: 'file.x509.issuer.country', + type: 'keyword', + }, + 'file.x509.issuer.distinguished_name': { + category: 'file', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + name: 'file.x509.issuer.distinguished_name', + type: 'keyword', + }, + 'file.x509.issuer.locality': { + category: 'file', + description: 'List of locality names (L)', + example: 'Mountain View', + name: 'file.x509.issuer.locality', + type: 'keyword', + }, + 'file.x509.issuer.organization': { + category: 'file', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + name: 'file.x509.issuer.organization', + type: 'keyword', + }, + 'file.x509.issuer.organizational_unit': { + category: 'file', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + name: 'file.x509.issuer.organizational_unit', + type: 'keyword', + }, + 'file.x509.issuer.state_or_province': { + category: 'file', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + name: 'file.x509.issuer.state_or_province', + type: 'keyword', + }, + 'file.x509.not_after': { + category: 'file', + description: 'Time at which the certificate is no longer considered valid.', + example: '"2020-07-16T03:15:39.000Z"', + name: 'file.x509.not_after', + type: 'date', + }, + 'file.x509.not_before': { + category: 'file', + description: 'Time at which the certificate is first considered valid.', + example: '"2019-08-16T01:40:25.000Z"', + name: 'file.x509.not_before', + type: 'date', + }, + 'file.x509.public_key_algorithm': { + category: 'file', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + name: 'file.x509.public_key_algorithm', + type: 'keyword', + }, + 'file.x509.public_key_curve': { + category: 'file', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + name: 'file.x509.public_key_curve', + type: 'keyword', + }, + 'file.x509.public_key_exponent': { + category: 'file', + description: 'Exponent used to derive the public key. This is algorithm specific.', + example: 65537, + name: 'file.x509.public_key_exponent', + type: 'long', + }, + 'file.x509.public_key_size': { + category: 'file', + description: 'The size of the public key space in bits.', + example: 2048, + name: 'file.x509.public_key_size', + type: 'long', + }, + 'file.x509.serial_number': { + category: 'file', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + name: 'file.x509.serial_number', + type: 'keyword', + }, + 'file.x509.signature_algorithm': { + category: 'file', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + name: 'file.x509.signature_algorithm', + type: 'keyword', + }, + 'file.x509.subject.common_name': { + category: 'file', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + name: 'file.x509.subject.common_name', + type: 'keyword', + }, + 'file.x509.subject.country': { + category: 'file', + description: 'List of country (C) code', + example: 'US', + name: 'file.x509.subject.country', + type: 'keyword', + }, + 'file.x509.subject.distinguished_name': { + category: 'file', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + name: 'file.x509.subject.distinguished_name', + type: 'keyword', + }, + 'file.x509.subject.locality': { + category: 'file', + description: 'List of locality names (L)', + example: 'San Francisco', + name: 'file.x509.subject.locality', + type: 'keyword', + }, + 'file.x509.subject.organization': { + category: 'file', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + name: 'file.x509.subject.organization', + type: 'keyword', + }, + 'file.x509.subject.organizational_unit': { + category: 'file', + description: 'List of organizational units (OU) of subject.', + name: 'file.x509.subject.organizational_unit', + type: 'keyword', + }, + 'file.x509.subject.state_or_province': { + category: 'file', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + name: 'file.x509.subject.state_or_province', + type: 'keyword', + }, + 'file.x509.version_number': { + category: 'file', + description: 'Version of x509 format.', + example: 3, + name: 'file.x509.version_number', + type: 'keyword', + }, 'geo.city_name': { category: 'geo', description: 'City name.', @@ -1611,6 +1883,14 @@ export const fieldsBeat: BeatFields = { name: 'host.os.platform', type: 'keyword', }, + 'host.os.type': { + category: 'host', + description: + "Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.", + example: 'macos', + name: 'host.os.type', + type: 'keyword', + }, 'host.os.version': { category: 'host', description: 'Operating system version as a raw string.', @@ -1680,7 +1960,7 @@ export const fieldsBeat: BeatFields = { }, 'host.user.id': { category: 'host', - description: 'Unique identifiers of the user.', + description: 'Unique identifier of the user.', name: 'host.user.id', type: 'keyword', }, @@ -1691,6 +1971,13 @@ export const fieldsBeat: BeatFields = { name: 'host.user.name', type: 'keyword', }, + 'host.user.roles': { + category: 'host', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + name: 'host.user.roles', + type: 'keyword', + }, 'http.request.body.bytes': { category: 'http', description: 'Size in bytes of the request body.', @@ -1717,11 +2004,19 @@ export const fieldsBeat: BeatFields = { 'http.request.method': { category: 'http', description: - 'HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".', - example: 'get, post, put', + 'HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0', + example: 'GET, POST, PUT, PoST', name: 'http.request.method', type: 'keyword', }, + 'http.request.mime_type': { + category: 'http', + description: + "Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients.", + example: 'image/gif', + name: 'http.request.mime_type', + type: 'keyword', + }, 'http.request.referrer': { category: 'http', description: 'Referrer for this HTTP request.', @@ -1752,6 +2047,14 @@ export const fieldsBeat: BeatFields = { type: 'long', format: 'bytes', }, + 'http.response.mime_type': { + category: 'http', + description: + "Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers.", + example: 'image/gif', + name: 'http.response.mime_type', + type: 'keyword', + }, 'http.response.status_code': { category: 'http', description: 'HTTP response status code.', @@ -1789,6 +2092,14 @@ export const fieldsBeat: BeatFields = { name: 'interface.name', type: 'keyword', }, + 'log.file.path': { + category: 'log', + description: + "Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field.", + example: '/var/log/fun-times.log', + name: 'log.file.path', + type: 'keyword', + }, 'log.level': { category: 'log', description: @@ -1816,7 +2127,7 @@ export const fieldsBeat: BeatFields = { 'log.origin.file.name': { category: 'log', description: - 'The name of the file containing the source code which originated the log event. Note that this is not the name of the log file.', + 'The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`.', example: 'Bootstrap.java', name: 'log.origin.file.name', type: 'keyword', @@ -1912,7 +2223,7 @@ export const fieldsBeat: BeatFields = { 'network.direction': { category: 'network', description: - "Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter.", + 'Direction of the network traffic. Recommended values are: * ingress * egress * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host\'s point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.', example: 'inbound', name: 'network.direction', type: 'keyword', @@ -1935,7 +2246,7 @@ export const fieldsBeat: BeatFields = { 'network.inner': { category: 'network', description: - 'Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)', + 'Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)', name: 'network.inner', type: 'object', }, @@ -2226,6 +2537,14 @@ export const fieldsBeat: BeatFields = { name: 'observer.os.platform', type: 'keyword', }, + 'observer.os.type': { + category: 'observer', + description: + "Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.", + example: 'macos', + name: 'observer.os.type', + type: 'keyword', + }, 'observer.os.version': { category: 'observer', description: 'Operating system version as a raw string.', @@ -2314,6 +2633,14 @@ export const fieldsBeat: BeatFields = { name: 'os.platform', type: 'keyword', }, + 'os.type': { + category: 'os', + description: + "Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.", + example: 'macos', + name: 'os.type', + type: 'keyword', + }, 'os.version': { category: 'os', description: 'Operating system version as a raw string.', @@ -2415,6 +2742,13 @@ export const fieldsBeat: BeatFields = { name: 'package.version', type: 'keyword', }, + 'pe.architecture': { + category: 'pe', + description: 'CPU architecture target for the file.', + example: 'x64', + name: 'pe.architecture', + type: 'keyword', + }, 'pe.company': { category: 'pe', description: 'Internal company name of the file, provided at compile-time.', @@ -2436,6 +2770,14 @@ export const fieldsBeat: BeatFields = { name: 'pe.file_version', type: 'keyword', }, + 'pe.imphash': { + category: 'pe', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + name: 'pe.imphash', + type: 'keyword', + }, 'pe.original_file_name': { category: 'pe', description: 'Internal name of the file, provided at compile-time.', @@ -2454,7 +2796,7 @@ export const fieldsBeat: BeatFields = { category: 'process', description: 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.', - example: '["/usr/bin/ssh","-l","user","10.0.0.16"]', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', name: 'process.args', type: 'keyword', }, @@ -2568,8 +2910,9 @@ export const fieldsBeat: BeatFields = { }, 'process.parent.args': { category: 'process', - description: 'Array of process arguments. May be filtered to protect sensitive information.', - example: '["ssh","-l","user","10.0.0.16"]', + description: + 'Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information.', + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]', name: 'process.parent.args', type: 'keyword', }, @@ -2681,6 +3024,56 @@ export const fieldsBeat: BeatFields = { name: 'process.parent.name', type: 'keyword', }, + 'process.parent.pe.architecture': { + category: 'process', + description: 'CPU architecture target for the file.', + example: 'x64', + name: 'process.parent.pe.architecture', + type: 'keyword', + }, + 'process.parent.pe.company': { + category: 'process', + description: 'Internal company name of the file, provided at compile-time.', + example: 'Microsoft Corporation', + name: 'process.parent.pe.company', + type: 'keyword', + }, + 'process.parent.pe.description': { + category: 'process', + description: 'Internal description of the file, provided at compile-time.', + example: 'Paint', + name: 'process.parent.pe.description', + type: 'keyword', + }, + 'process.parent.pe.file_version': { + category: 'process', + description: 'Internal version of the file, provided at compile-time.', + example: '6.3.9600.17415', + name: 'process.parent.pe.file_version', + type: 'keyword', + }, + 'process.parent.pe.imphash': { + category: 'process', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + name: 'process.parent.pe.imphash', + type: 'keyword', + }, + 'process.parent.pe.original_file_name': { + category: 'process', + description: 'Internal name of the file, provided at compile-time.', + example: 'MSPAINT.EXE', + name: 'process.parent.pe.original_file_name', + type: 'keyword', + }, + 'process.parent.pe.product': { + category: 'process', + description: 'Internal product name of the file, provided at compile-time.', + example: 'Microsoft® Windows® Operating System', + name: 'process.parent.pe.product', + type: 'keyword', + }, 'process.parent.pgid': { category: 'process', description: 'Identifier of the group of processes the process belongs to.', @@ -2747,6 +3140,13 @@ export const fieldsBeat: BeatFields = { name: 'process.parent.working_directory', type: 'keyword', }, + 'process.pe.architecture': { + category: 'process', + description: 'CPU architecture target for the file.', + example: 'x64', + name: 'process.pe.architecture', + type: 'keyword', + }, 'process.pe.company': { category: 'process', description: 'Internal company name of the file, provided at compile-time.', @@ -2768,6 +3168,14 @@ export const fieldsBeat: BeatFields = { name: 'process.pe.file_version', type: 'keyword', }, + 'process.pe.imphash': { + category: 'process', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + name: 'process.pe.imphash', + type: 'keyword', + }, 'process.pe.original_file_name': { category: 'process', description: 'Internal name of the file, provided at compile-time.', @@ -2908,6 +3316,13 @@ export const fieldsBeat: BeatFields = { name: 'related.hash', type: 'keyword', }, + 'related.hosts': { + category: 'related', + description: + 'All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.', + name: 'related.hosts', + type: 'keyword', + }, 'related.ip': { category: 'related', description: 'All of the IPs seen on your event.', @@ -3092,7 +3507,7 @@ export const fieldsBeat: BeatFields = { }, 'server.ip': { category: 'server', - description: 'IP address of the server. Can be one or multiple IPv4 or IPv6 addresses.', + description: 'IP address of the server (IPv4 or IPv6).', name: 'server.ip', type: 'ip', }, @@ -3134,15 +3549,23 @@ export const fieldsBeat: BeatFields = { 'server.registered_domain': { category: 'server', description: - 'The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', - example: 'google.com', + 'The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', name: 'server.registered_domain', type: 'keyword', }, + 'server.subdomain': { + category: 'server', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + name: 'server.subdomain', + type: 'keyword', + }, 'server.top_level_domain': { category: 'server', description: - 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', example: 'co.uk', name: 'server.top_level_domain', type: 'keyword', @@ -3195,7 +3618,7 @@ export const fieldsBeat: BeatFields = { }, 'server.user.id': { category: 'server', - description: 'Unique identifiers of the user.', + description: 'Unique identifier of the user.', name: 'server.user.id', type: 'keyword', }, @@ -3206,6 +3629,13 @@ export const fieldsBeat: BeatFields = { name: 'server.user.name', type: 'keyword', }, + 'server.user.roles': { + category: 'server', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + name: 'server.user.roles', + type: 'keyword', + }, 'service.ephemeral_id': { category: 'service', description: @@ -3355,7 +3785,7 @@ export const fieldsBeat: BeatFields = { }, 'source.ip': { category: 'source', - description: 'IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.', + description: 'IP address of the source (IPv4 or IPv6).', name: 'source.ip', type: 'ip', }, @@ -3397,15 +3827,23 @@ export const fieldsBeat: BeatFields = { 'source.registered_domain': { category: 'source', description: - 'The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', - example: 'google.com', + 'The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', name: 'source.registered_domain', type: 'keyword', }, + 'source.subdomain': { + category: 'source', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + name: 'source.subdomain', + type: 'keyword', + }, 'source.top_level_domain': { category: 'source', description: - 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', example: 'co.uk', name: 'source.top_level_domain', type: 'keyword', @@ -3458,7 +3896,7 @@ export const fieldsBeat: BeatFields = { }, 'source.user.id': { category: 'source', - description: 'Unique identifiers of the user.', + description: 'Unique identifier of the user.', name: 'source.user.id', type: 'keyword', }, @@ -3469,6 +3907,13 @@ export const fieldsBeat: BeatFields = { name: 'source.user.name', type: 'keyword', }, + 'source.user.roles': { + category: 'source', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + name: 'source.user.roles', + type: 'keyword', + }, 'threat.framework': { category: 'threat', description: @@ -3480,51 +3925,75 @@ export const fieldsBeat: BeatFields = { 'threat.tactic.id': { category: 'threat', description: - 'The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )', - example: 'TA0040', + 'The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )', + example: 'TA0002', name: 'threat.tactic.id', type: 'keyword', }, 'threat.tactic.name': { category: 'threat', description: - 'Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )', - example: 'impact', + 'Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)', + example: 'Execution', name: 'threat.tactic.name', type: 'keyword', }, 'threat.tactic.reference': { category: 'threat', description: - 'The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )', - example: 'https://attack.mitre.org/tactics/TA0040/', + 'The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )', + example: 'https://attack.mitre.org/tactics/TA0002/', name: 'threat.tactic.reference', type: 'keyword', }, 'threat.technique.id': { category: 'threat', description: - 'The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ )', - example: 'T1499', + 'The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)', + example: 'T1059', name: 'threat.technique.id', type: 'keyword', }, 'threat.technique.name': { category: 'threat', description: - 'The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ )', - example: 'endpoint denial of service', + 'The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)', + example: 'Command and Scripting Interpreter', name: 'threat.technique.name', type: 'keyword', }, 'threat.technique.reference': { category: 'threat', description: - 'The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ )', - example: 'https://attack.mitre.org/techniques/T1499/', + 'The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)', + example: 'https://attack.mitre.org/techniques/T1059/', name: 'threat.technique.reference', type: 'keyword', }, + 'threat.technique.subtechnique.id': { + category: 'threat', + description: + 'The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)', + example: 'T1059.001', + name: 'threat.technique.subtechnique.id', + type: 'keyword', + }, + 'threat.technique.subtechnique.name': { + category: 'threat', + description: + 'The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)', + example: 'PowerShell', + name: 'threat.technique.subtechnique.name', + type: 'keyword', + }, + 'threat.technique.subtechnique.reference': { + category: 'threat', + description: + 'The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)', + example: 'https://attack.mitre.org/techniques/T1059/001/', + name: 'threat.technique.subtechnique.reference', + type: 'keyword', + }, 'tls.cipher': { category: 'tls', description: 'String indicating the cipher used during the current connection.', @@ -3544,7 +4013,7 @@ export const fieldsBeat: BeatFields = { category: 'tls', description: 'Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.', - example: '["MII...","MII..."]', + example: '["MII...", "MII..."]', name: 'tls.client.certificate_chain', type: 'keyword', }, @@ -3576,7 +4045,7 @@ export const fieldsBeat: BeatFields = { category: 'tls', description: 'Distinguished name of subject of the issuer of the x.509 certificate presented by the client.', - example: 'CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com', + example: 'CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com', name: 'tls.client.issuer', type: 'keyword', }, @@ -3604,7 +4073,7 @@ export const fieldsBeat: BeatFields = { 'tls.client.server_name': { category: 'tls', description: - 'Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`.', + 'Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`.', example: 'www.elastic.co', name: 'tls.client.server_name', type: 'keyword', @@ -3612,7 +4081,7 @@ export const fieldsBeat: BeatFields = { 'tls.client.subject': { category: 'tls', description: 'Distinguished name of subject of the x.509 certificate presented by the client.', - example: 'CN=myclient, OU=Documentation Team, DC=mydomain, DC=com', + example: 'CN=myclient, OU=Documentation Team, DC=example, DC=com', name: 'tls.client.subject', type: 'keyword', }, @@ -3620,10 +4089,181 @@ export const fieldsBeat: BeatFields = { category: 'tls', description: 'Array of ciphers offered by the client during the client hello.', example: - '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","..."]', + '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]', name: 'tls.client.supported_ciphers', type: 'keyword', }, + 'tls.client.x509.alternative_names': { + category: 'tls', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + name: 'tls.client.x509.alternative_names', + type: 'keyword', + }, + 'tls.client.x509.issuer.common_name': { + category: 'tls', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + name: 'tls.client.x509.issuer.common_name', + type: 'keyword', + }, + 'tls.client.x509.issuer.country': { + category: 'tls', + description: 'List of country (C) codes', + example: 'US', + name: 'tls.client.x509.issuer.country', + type: 'keyword', + }, + 'tls.client.x509.issuer.distinguished_name': { + category: 'tls', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + name: 'tls.client.x509.issuer.distinguished_name', + type: 'keyword', + }, + 'tls.client.x509.issuer.locality': { + category: 'tls', + description: 'List of locality names (L)', + example: 'Mountain View', + name: 'tls.client.x509.issuer.locality', + type: 'keyword', + }, + 'tls.client.x509.issuer.organization': { + category: 'tls', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + name: 'tls.client.x509.issuer.organization', + type: 'keyword', + }, + 'tls.client.x509.issuer.organizational_unit': { + category: 'tls', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + name: 'tls.client.x509.issuer.organizational_unit', + type: 'keyword', + }, + 'tls.client.x509.issuer.state_or_province': { + category: 'tls', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + name: 'tls.client.x509.issuer.state_or_province', + type: 'keyword', + }, + 'tls.client.x509.not_after': { + category: 'tls', + description: 'Time at which the certificate is no longer considered valid.', + example: '"2020-07-16T03:15:39.000Z"', + name: 'tls.client.x509.not_after', + type: 'date', + }, + 'tls.client.x509.not_before': { + category: 'tls', + description: 'Time at which the certificate is first considered valid.', + example: '"2019-08-16T01:40:25.000Z"', + name: 'tls.client.x509.not_before', + type: 'date', + }, + 'tls.client.x509.public_key_algorithm': { + category: 'tls', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + name: 'tls.client.x509.public_key_algorithm', + type: 'keyword', + }, + 'tls.client.x509.public_key_curve': { + category: 'tls', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + name: 'tls.client.x509.public_key_curve', + type: 'keyword', + }, + 'tls.client.x509.public_key_exponent': { + category: 'tls', + description: 'Exponent used to derive the public key. This is algorithm specific.', + example: 65537, + name: 'tls.client.x509.public_key_exponent', + type: 'long', + }, + 'tls.client.x509.public_key_size': { + category: 'tls', + description: 'The size of the public key space in bits.', + example: 2048, + name: 'tls.client.x509.public_key_size', + type: 'long', + }, + 'tls.client.x509.serial_number': { + category: 'tls', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + name: 'tls.client.x509.serial_number', + type: 'keyword', + }, + 'tls.client.x509.signature_algorithm': { + category: 'tls', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + name: 'tls.client.x509.signature_algorithm', + type: 'keyword', + }, + 'tls.client.x509.subject.common_name': { + category: 'tls', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + name: 'tls.client.x509.subject.common_name', + type: 'keyword', + }, + 'tls.client.x509.subject.country': { + category: 'tls', + description: 'List of country (C) code', + example: 'US', + name: 'tls.client.x509.subject.country', + type: 'keyword', + }, + 'tls.client.x509.subject.distinguished_name': { + category: 'tls', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + name: 'tls.client.x509.subject.distinguished_name', + type: 'keyword', + }, + 'tls.client.x509.subject.locality': { + category: 'tls', + description: 'List of locality names (L)', + example: 'San Francisco', + name: 'tls.client.x509.subject.locality', + type: 'keyword', + }, + 'tls.client.x509.subject.organization': { + category: 'tls', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + name: 'tls.client.x509.subject.organization', + type: 'keyword', + }, + 'tls.client.x509.subject.organizational_unit': { + category: 'tls', + description: 'List of organizational units (OU) of subject.', + name: 'tls.client.x509.subject.organizational_unit', + type: 'keyword', + }, + 'tls.client.x509.subject.state_or_province': { + category: 'tls', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + name: 'tls.client.x509.subject.state_or_province', + type: 'keyword', + }, + 'tls.client.x509.version_number': { + category: 'tls', + description: 'Version of x509 format.', + example: 3, + name: 'tls.client.x509.version_number', + type: 'keyword', + }, 'tls.curve': { category: 'tls', description: 'String indicating the curve used for the given cipher, when applicable.', @@ -3665,7 +4305,7 @@ export const fieldsBeat: BeatFields = { category: 'tls', description: 'Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.', - example: '["MII...","MII..."]', + example: '["MII...", "MII..."]', name: 'tls.server.certificate_chain', type: 'keyword', }, @@ -3696,7 +4336,7 @@ export const fieldsBeat: BeatFields = { 'tls.server.issuer': { category: 'tls', description: 'Subject of the issuer of the x.509 certificate presented by the server.', - example: 'CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com', + example: 'CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com', name: 'tls.server.issuer', type: 'keyword', }, @@ -3724,10 +4364,181 @@ export const fieldsBeat: BeatFields = { 'tls.server.subject': { category: 'tls', description: 'Subject of the x.509 certificate presented by the server.', - example: 'CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com', + example: 'CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com', name: 'tls.server.subject', type: 'keyword', }, + 'tls.server.x509.alternative_names': { + category: 'tls', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + name: 'tls.server.x509.alternative_names', + type: 'keyword', + }, + 'tls.server.x509.issuer.common_name': { + category: 'tls', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + name: 'tls.server.x509.issuer.common_name', + type: 'keyword', + }, + 'tls.server.x509.issuer.country': { + category: 'tls', + description: 'List of country (C) codes', + example: 'US', + name: 'tls.server.x509.issuer.country', + type: 'keyword', + }, + 'tls.server.x509.issuer.distinguished_name': { + category: 'tls', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + name: 'tls.server.x509.issuer.distinguished_name', + type: 'keyword', + }, + 'tls.server.x509.issuer.locality': { + category: 'tls', + description: 'List of locality names (L)', + example: 'Mountain View', + name: 'tls.server.x509.issuer.locality', + type: 'keyword', + }, + 'tls.server.x509.issuer.organization': { + category: 'tls', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + name: 'tls.server.x509.issuer.organization', + type: 'keyword', + }, + 'tls.server.x509.issuer.organizational_unit': { + category: 'tls', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + name: 'tls.server.x509.issuer.organizational_unit', + type: 'keyword', + }, + 'tls.server.x509.issuer.state_or_province': { + category: 'tls', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + name: 'tls.server.x509.issuer.state_or_province', + type: 'keyword', + }, + 'tls.server.x509.not_after': { + category: 'tls', + description: 'Time at which the certificate is no longer considered valid.', + example: '"2020-07-16T03:15:39.000Z"', + name: 'tls.server.x509.not_after', + type: 'date', + }, + 'tls.server.x509.not_before': { + category: 'tls', + description: 'Time at which the certificate is first considered valid.', + example: '"2019-08-16T01:40:25.000Z"', + name: 'tls.server.x509.not_before', + type: 'date', + }, + 'tls.server.x509.public_key_algorithm': { + category: 'tls', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + name: 'tls.server.x509.public_key_algorithm', + type: 'keyword', + }, + 'tls.server.x509.public_key_curve': { + category: 'tls', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + name: 'tls.server.x509.public_key_curve', + type: 'keyword', + }, + 'tls.server.x509.public_key_exponent': { + category: 'tls', + description: 'Exponent used to derive the public key. This is algorithm specific.', + example: 65537, + name: 'tls.server.x509.public_key_exponent', + type: 'long', + }, + 'tls.server.x509.public_key_size': { + category: 'tls', + description: 'The size of the public key space in bits.', + example: 2048, + name: 'tls.server.x509.public_key_size', + type: 'long', + }, + 'tls.server.x509.serial_number': { + category: 'tls', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + name: 'tls.server.x509.serial_number', + type: 'keyword', + }, + 'tls.server.x509.signature_algorithm': { + category: 'tls', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + name: 'tls.server.x509.signature_algorithm', + type: 'keyword', + }, + 'tls.server.x509.subject.common_name': { + category: 'tls', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + name: 'tls.server.x509.subject.common_name', + type: 'keyword', + }, + 'tls.server.x509.subject.country': { + category: 'tls', + description: 'List of country (C) code', + example: 'US', + name: 'tls.server.x509.subject.country', + type: 'keyword', + }, + 'tls.server.x509.subject.distinguished_name': { + category: 'tls', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + name: 'tls.server.x509.subject.distinguished_name', + type: 'keyword', + }, + 'tls.server.x509.subject.locality': { + category: 'tls', + description: 'List of locality names (L)', + example: 'San Francisco', + name: 'tls.server.x509.subject.locality', + type: 'keyword', + }, + 'tls.server.x509.subject.organization': { + category: 'tls', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + name: 'tls.server.x509.subject.organization', + type: 'keyword', + }, + 'tls.server.x509.subject.organizational_unit': { + category: 'tls', + description: 'List of organizational units (OU) of subject.', + name: 'tls.server.x509.subject.organizational_unit', + type: 'keyword', + }, + 'tls.server.x509.subject.state_or_province': { + category: 'tls', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + name: 'tls.server.x509.subject.state_or_province', + type: 'keyword', + }, + 'tls.server.x509.version_number': { + category: 'tls', + description: 'Version of x509 format.', + example: 3, + name: 'tls.server.x509.version_number', + type: 'keyword', + }, 'tls.version': { category: 'tls', description: 'Numeric part of the version parsed from the original string.', @@ -3742,26 +4553,34 @@ export const fieldsBeat: BeatFields = { name: 'tls.version_protocol', type: 'keyword', }, - 'tracing.trace.id': { - category: 'tracing', + 'span.id': { + category: 'span', + description: + 'Unique identifier of the span within the scope of its trace. A span represents an operation within a transaction, such as a request to another service, or a database query.', + example: '3ff9a8981b7ccd5a', + name: 'span.id', + type: 'keyword', + }, + 'trace.id': { + category: 'trace', description: 'Unique identifier of the trace. A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.', example: '4bf92f3577b34da6a3ce929d0e0e4736', - name: 'tracing.trace.id', + name: 'trace.id', type: 'keyword', }, - 'tracing.transaction.id': { - category: 'tracing', + 'transaction.id': { + category: 'transaction', description: - 'Unique identifier of the transaction. A transaction is the highest level of work measured within a service, such as a request to a server.', + 'Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server.', example: '00f067aa0ba902b7', - name: 'tracing.transaction.id', + name: 'transaction.id', type: 'keyword', }, 'url.domain': { category: 'url', description: - 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.', + 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.', example: 'www.elastic.co', name: 'url.domain', type: 'keyword', @@ -3769,7 +4588,7 @@ export const fieldsBeat: BeatFields = { 'url.extension': { category: 'url', description: - 'The field contains the file extension from the original request url. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png".', + 'The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").', example: 'png', name: 'url.extension', type: 'keyword', @@ -3827,8 +4646,8 @@ export const fieldsBeat: BeatFields = { 'url.registered_domain': { category: 'url', description: - 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.google.com" is "google.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', - example: 'google.com', + 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".', + example: 'example.com', name: 'url.registered_domain', type: 'keyword', }, @@ -3839,10 +4658,18 @@ export const fieldsBeat: BeatFields = { name: 'url.scheme', type: 'keyword', }, + 'url.subdomain': { + category: 'url', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.', + example: 'east', + name: 'url.subdomain', + type: 'keyword', + }, 'url.top_level_domain': { category: 'url', description: - 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".', example: 'co.uk', name: 'url.top_level_domain', type: 'keyword', @@ -3853,6 +4680,72 @@ export const fieldsBeat: BeatFields = { name: 'url.username', type: 'keyword', }, + 'user.changes.domain': { + category: 'user', + description: + 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.', + name: 'user.changes.domain', + type: 'keyword', + }, + 'user.changes.email': { + category: 'user', + description: 'User email address.', + name: 'user.changes.email', + type: 'keyword', + }, + 'user.changes.full_name': { + category: 'user', + description: "User's full name, if available.", + example: 'Albert Einstein', + name: 'user.changes.full_name', + type: 'keyword', + }, + 'user.changes.group.domain': { + category: 'user', + description: + 'Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.', + name: 'user.changes.group.domain', + type: 'keyword', + }, + 'user.changes.group.id': { + category: 'user', + description: 'Unique identifier for the group on the system/platform.', + name: 'user.changes.group.id', + type: 'keyword', + }, + 'user.changes.group.name': { + category: 'user', + description: 'Name of the group.', + name: 'user.changes.group.name', + type: 'keyword', + }, + 'user.changes.hash': { + category: 'user', + description: + 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.', + name: 'user.changes.hash', + type: 'keyword', + }, + 'user.changes.id': { + category: 'user', + description: 'Unique identifier of the user.', + name: 'user.changes.id', + type: 'keyword', + }, + 'user.changes.name': { + category: 'user', + description: 'Short name or login of the user.', + example: 'albert', + name: 'user.changes.name', + type: 'keyword', + }, + 'user.changes.roles': { + category: 'user', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + name: 'user.changes.roles', + type: 'keyword', + }, 'user.domain': { category: 'user', description: @@ -3860,6 +4753,72 @@ export const fieldsBeat: BeatFields = { name: 'user.domain', type: 'keyword', }, + 'user.effective.domain': { + category: 'user', + description: + 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.', + name: 'user.effective.domain', + type: 'keyword', + }, + 'user.effective.email': { + category: 'user', + description: 'User email address.', + name: 'user.effective.email', + type: 'keyword', + }, + 'user.effective.full_name': { + category: 'user', + description: "User's full name, if available.", + example: 'Albert Einstein', + name: 'user.effective.full_name', + type: 'keyword', + }, + 'user.effective.group.domain': { + category: 'user', + description: + 'Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.', + name: 'user.effective.group.domain', + type: 'keyword', + }, + 'user.effective.group.id': { + category: 'user', + description: 'Unique identifier for the group on the system/platform.', + name: 'user.effective.group.id', + type: 'keyword', + }, + 'user.effective.group.name': { + category: 'user', + description: 'Name of the group.', + name: 'user.effective.group.name', + type: 'keyword', + }, + 'user.effective.hash': { + category: 'user', + description: + 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.', + name: 'user.effective.hash', + type: 'keyword', + }, + 'user.effective.id': { + category: 'user', + description: 'Unique identifier of the user.', + name: 'user.effective.id', + type: 'keyword', + }, + 'user.effective.name': { + category: 'user', + description: 'Short name or login of the user.', + example: 'albert', + name: 'user.effective.name', + type: 'keyword', + }, + 'user.effective.roles': { + category: 'user', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + name: 'user.effective.roles', + type: 'keyword', + }, 'user.email': { category: 'user', description: 'User email address.', @@ -3901,7 +4860,7 @@ export const fieldsBeat: BeatFields = { }, 'user.id': { category: 'user', - description: 'Unique identifiers of the user.', + description: 'Unique identifier of the user.', name: 'user.id', type: 'keyword', }, @@ -3912,6 +4871,79 @@ export const fieldsBeat: BeatFields = { name: 'user.name', type: 'keyword', }, + 'user.roles': { + category: 'user', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + name: 'user.roles', + type: 'keyword', + }, + 'user.target.domain': { + category: 'user', + description: + 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.', + name: 'user.target.domain', + type: 'keyword', + }, + 'user.target.email': { + category: 'user', + description: 'User email address.', + name: 'user.target.email', + type: 'keyword', + }, + 'user.target.full_name': { + category: 'user', + description: "User's full name, if available.", + example: 'Albert Einstein', + name: 'user.target.full_name', + type: 'keyword', + }, + 'user.target.group.domain': { + category: 'user', + description: + 'Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name.', + name: 'user.target.group.domain', + type: 'keyword', + }, + 'user.target.group.id': { + category: 'user', + description: 'Unique identifier for the group on the system/platform.', + name: 'user.target.group.id', + type: 'keyword', + }, + 'user.target.group.name': { + category: 'user', + description: 'Name of the group.', + name: 'user.target.group.name', + type: 'keyword', + }, + 'user.target.hash': { + category: 'user', + description: + 'Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used.', + name: 'user.target.hash', + type: 'keyword', + }, + 'user.target.id': { + category: 'user', + description: 'Unique identifier of the user.', + name: 'user.target.id', + type: 'keyword', + }, + 'user.target.name': { + category: 'user', + description: 'Short name or login of the user.', + example: 'albert', + name: 'user.target.name', + type: 'keyword', + }, + 'user.target.roles': { + category: 'user', + description: 'Array of user roles at the time of the event.', + example: '["kibana_admin", "reporting_user"]', + name: 'user.target.roles', + type: 'keyword', + }, 'user_agent.device.name': { category: 'user_agent', description: 'Name of the device.', @@ -3969,6 +5001,14 @@ export const fieldsBeat: BeatFields = { name: 'user_agent.os.platform', type: 'keyword', }, + 'user_agent.os.type': { + category: 'user_agent', + description: + "Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.", + example: 'macos', + name: 'user_agent.os.type', + type: 'keyword', + }, 'user_agent.os.version': { category: 'user_agent', description: 'Operating system version as a raw string.', @@ -4098,54 +5138,219 @@ export const fieldsBeat: BeatFields = { name: 'vulnerability.severity', type: 'keyword', }, - 'agent.hostname': { - category: 'agent', + 'x509.alternative_names': { + category: 'x509', description: - 'Deprecated - use agent.name or agent.id to identify an agent. Hostname of the agent. ', - name: 'agent.hostname', + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + name: 'x509.alternative_names', type: 'keyword', }, - 'beat.timezone': { - category: 'beat', - name: 'beat.timezone', - type: 'alias', + 'x509.issuer.common_name': { + category: 'x509', + description: 'List of common name (CN) of issuing certificate authority.', + example: 'Example SHA2 High Assurance Server CA', + name: 'x509.issuer.common_name', + type: 'keyword', }, - fields: { - category: 'base', - description: 'Contains user configurable fields. ', - name: 'fields', - type: 'object', + 'x509.issuer.country': { + category: 'x509', + description: 'List of country (C) codes', + example: 'US', + name: 'x509.issuer.country', + type: 'keyword', }, - 'beat.name': { - category: 'beat', - name: 'beat.name', - type: 'alias', + 'x509.issuer.distinguished_name': { + category: 'x509', + description: 'Distinguished name (DN) of issuing certificate authority.', + example: 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + name: 'x509.issuer.distinguished_name', + type: 'keyword', }, - 'beat.hostname': { - category: 'beat', - name: 'beat.hostname', - type: 'alias', + 'x509.issuer.locality': { + category: 'x509', + description: 'List of locality names (L)', + example: 'Mountain View', + name: 'x509.issuer.locality', + type: 'keyword', }, - 'timeseries.instance': { - category: 'timeseries', - description: 'Time series instance id', - name: 'timeseries.instance', + 'x509.issuer.organization': { + category: 'x509', + description: 'List of organizations (O) of issuing certificate authority.', + example: 'Example Inc', + name: 'x509.issuer.organization', type: 'keyword', }, - 'cloud.project.id': { - category: 'cloud', - description: 'Name of the project in Google Cloud. ', - example: 'project-x', - name: 'cloud.project.id', + 'x509.issuer.organizational_unit': { + category: 'x509', + description: 'List of organizational units (OU) of issuing certificate authority.', + example: 'www.example.com', + name: 'x509.issuer.organizational_unit', + type: 'keyword', }, - 'cloud.image.id': { - category: 'cloud', - description: 'Image ID for the cloud instance. ', - example: 'ami-abcd1234', - name: 'cloud.image.id', + 'x509.issuer.state_or_province': { + category: 'x509', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + name: 'x509.issuer.state_or_province', + type: 'keyword', }, - 'meta.cloud.provider': { - category: 'meta', + 'x509.not_after': { + category: 'x509', + description: 'Time at which the certificate is no longer considered valid.', + example: '"2020-07-16T03:15:39.000Z"', + name: 'x509.not_after', + type: 'date', + }, + 'x509.not_before': { + category: 'x509', + description: 'Time at which the certificate is first considered valid.', + example: '"2019-08-16T01:40:25.000Z"', + name: 'x509.not_before', + type: 'date', + }, + 'x509.public_key_algorithm': { + category: 'x509', + description: 'Algorithm used to generate the public key.', + example: 'RSA', + name: 'x509.public_key_algorithm', + type: 'keyword', + }, + 'x509.public_key_curve': { + category: 'x509', + description: + 'The curve used by the elliptic curve public key algorithm. This is algorithm specific.', + example: 'nistp521', + name: 'x509.public_key_curve', + type: 'keyword', + }, + 'x509.public_key_exponent': { + category: 'x509', + description: 'Exponent used to derive the public key. This is algorithm specific.', + example: 65537, + name: 'x509.public_key_exponent', + type: 'long', + }, + 'x509.public_key_size': { + category: 'x509', + description: 'The size of the public key space in bits.', + example: 2048, + name: 'x509.public_key_size', + type: 'long', + }, + 'x509.serial_number': { + category: 'x509', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + name: 'x509.serial_number', + type: 'keyword', + }, + 'x509.signature_algorithm': { + category: 'x509', + description: + 'Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.', + example: 'SHA256-RSA', + name: 'x509.signature_algorithm', + type: 'keyword', + }, + 'x509.subject.common_name': { + category: 'x509', + description: 'List of common names (CN) of subject.', + example: 'shared.global.example.net', + name: 'x509.subject.common_name', + type: 'keyword', + }, + 'x509.subject.country': { + category: 'x509', + description: 'List of country (C) code', + example: 'US', + name: 'x509.subject.country', + type: 'keyword', + }, + 'x509.subject.distinguished_name': { + category: 'x509', + description: 'Distinguished name (DN) of the certificate subject entity.', + example: 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + name: 'x509.subject.distinguished_name', + type: 'keyword', + }, + 'x509.subject.locality': { + category: 'x509', + description: 'List of locality names (L)', + example: 'San Francisco', + name: 'x509.subject.locality', + type: 'keyword', + }, + 'x509.subject.organization': { + category: 'x509', + description: 'List of organizations (O) of subject.', + example: 'Example, Inc.', + name: 'x509.subject.organization', + type: 'keyword', + }, + 'x509.subject.organizational_unit': { + category: 'x509', + description: 'List of organizational units (OU) of subject.', + name: 'x509.subject.organizational_unit', + type: 'keyword', + }, + 'x509.subject.state_or_province': { + category: 'x509', + description: 'List of state or province names (ST, S, or P)', + example: 'California', + name: 'x509.subject.state_or_province', + type: 'keyword', + }, + 'x509.version_number': { + category: 'x509', + description: 'Version of x509 format.', + example: 3, + name: 'x509.version_number', + type: 'keyword', + }, + 'agent.hostname': { + category: 'agent', + description: + 'Deprecated - use agent.name or agent.id to identify an agent. Hostname of the agent. ', + name: 'agent.hostname', + type: 'keyword', + }, + 'beat.timezone': { + category: 'beat', + name: 'beat.timezone', + type: 'alias', + }, + fields: { + category: 'base', + description: 'Contains user configurable fields. ', + name: 'fields', + type: 'object', + }, + 'beat.name': { + category: 'beat', + name: 'beat.name', + type: 'alias', + }, + 'beat.hostname': { + category: 'beat', + name: 'beat.hostname', + type: 'alias', + }, + 'timeseries.instance': { + category: 'timeseries', + description: 'Time series instance id', + name: 'timeseries.instance', + type: 'keyword', + }, + 'cloud.image.id': { + category: 'cloud', + description: 'Image ID for the cloud instance. ', + example: 'ami-abcd1234', + name: 'cloud.image.id', + }, + 'meta.cloud.provider': { + category: 'meta', name: 'meta.cloud.provider', type: 'alias', }, @@ -4244,6 +5449,12 @@ export const fieldsBeat: BeatFields = { name: 'kubernetes.node.name', type: 'keyword', }, + 'kubernetes.node.hostname': { + category: 'kubernetes', + description: 'Kubernetes hostname as reported by the node’s kernel ', + name: 'kubernetes.node.hostname', + type: 'keyword', + }, 'kubernetes.labels.*': { category: 'kubernetes', description: 'Kubernetes labels map ', @@ -4256,6 +5467,12 @@ export const fieldsBeat: BeatFields = { name: 'kubernetes.annotations.*', type: 'object', }, + 'kubernetes.service.selectors.*': { + category: 'kubernetes', + description: 'Kubernetes Service selectors map ', + name: 'kubernetes.service.selectors.*', + type: 'object', + }, 'kubernetes.replicaset.name': { category: 'kubernetes', description: 'Kubernetes replicaset name ', @@ -4392,30 +5609,6 @@ export const fieldsBeat: BeatFields = { name: 'user.audit.name', type: 'keyword', }, - 'user.effective.id': { - category: 'user', - description: 'Effective user ID.', - name: 'user.effective.id', - type: 'keyword', - }, - 'user.effective.name': { - category: 'user', - description: 'Effective user name.', - name: 'user.effective.name', - type: 'keyword', - }, - 'user.effective.group.id': { - category: 'user', - description: 'Effective group ID.', - name: 'user.effective.group.id', - type: 'keyword', - }, - 'user.effective.group.name': { - category: 'user', - description: 'Effective group name.', - name: 'user.effective.group.name', - type: 'keyword', - }, 'user.filesystem.id': { category: 'user', description: 'Filesystem user ID.', @@ -4474,11 +5667,6 @@ export const fieldsBeat: BeatFields = { name: 'user.uid', type: 'alias', }, - 'user.euid': { - category: 'user', - name: 'user.euid', - type: 'alias', - }, 'user.fsuid': { category: 'user', name: 'user.fsuid', @@ -4494,11 +5682,6 @@ export const fieldsBeat: BeatFields = { name: 'user.gid', type: 'alias', }, - 'user.egid': { - category: 'user', - name: 'user.egid', - type: 'alias', - }, 'user.sgid': { category: 'user', name: 'user.sgid', @@ -4519,11 +5702,6 @@ export const fieldsBeat: BeatFields = { name: 'user.name_map.uid', type: 'alias', }, - 'user.name_map.euid': { - category: 'user', - name: 'user.name_map.euid', - type: 'alias', - }, 'user.name_map.fsuid': { category: 'user', name: 'user.name_map.fsuid', @@ -4539,11 +5717,6 @@ export const fieldsBeat: BeatFields = { name: 'user.name_map.gid', type: 'alias', }, - 'user.name_map.egid': { - category: 'user', - name: 'user.name_map.egid', - type: 'alias', - }, 'user.name_map.sgid': { category: 'user', name: 'user.name_map.sgid', @@ -6273,6 +7446,12 @@ export const fieldsBeat: BeatFields = { name: 'system.audit.host.os.kernel', type: 'keyword', }, + 'system.audit.host.os.type': { + category: 'system', + description: 'OS type (see ECS os.type). ', + name: 'system.audit.host.os.type', + type: 'keyword', + }, 'system.audit.package.entity_id': { category: 'system', description: @@ -6394,13 +7573,6 @@ export const fieldsBeat: BeatFields = { name: 'system.audit.user.password.last_changed', type: 'date', }, - 'log.file.path': { - category: 'log', - description: - 'The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`. ', - name: 'log.file.path', - type: 'keyword', - }, 'log.source.address': { category: 'log', description: 'Source address from which the log event was read / sent from. ', @@ -7093,6 +8265,21 @@ export const fieldsBeat: BeatFields = { name: 'elasticsearch.audit.user.roles', type: 'keyword', }, + 'elasticsearch.audit.user.run_as.name': { + category: 'elasticsearch', + name: 'elasticsearch.audit.user.run_as.name', + type: 'keyword', + }, + 'elasticsearch.audit.user.run_as.realm': { + category: 'elasticsearch', + name: 'elasticsearch.audit.user.run_as.realm', + type: 'keyword', + }, + 'elasticsearch.audit.component': { + category: 'elasticsearch', + name: 'elasticsearch.audit.component', + type: 'keyword', + }, 'elasticsearch.audit.action': { category: 'elasticsearch', description: 'The name of the action that was executed', @@ -7152,6 +8339,11 @@ export const fieldsBeat: BeatFields = { name: 'elasticsearch.audit.message', type: 'text', }, + 'elasticsearch.audit.invalidate.apikeys.owned_by_authenticated_user': { + category: 'elasticsearch', + name: 'elasticsearch.audit.invalidate.apikeys.owned_by_authenticated_user', + type: 'boolean', + }, 'elasticsearch.deprecation': { category: 'elasticsearch', description: '', @@ -7970,6 +9162,77 @@ export const fieldsBeat: BeatFields = { name: 'kafka.log.trace.message', type: 'text', }, + 'kibana.session_id': { + category: 'kibana', + description: + 'The ID of the user session associated with this event. Each login attempt results in a unique session id.', + example: '123e4567-e89b-12d3-a456-426614174000', + name: 'kibana.session_id', + type: 'keyword', + }, + 'kibana.space_id': { + category: 'kibana', + description: 'The id of the space associated with this event.', + example: 'default', + name: 'kibana.space_id', + type: 'keyword', + }, + 'kibana.saved_object.type': { + category: 'kibana', + description: 'The type of the saved object associated with this event.', + example: 'dashboard', + name: 'kibana.saved_object.type', + type: 'keyword', + }, + 'kibana.saved_object.id': { + category: 'kibana', + description: 'The id of the saved object associated with this event.', + example: '6295bdd0-0a0e-11e7-825f-6748cda7d858', + name: 'kibana.saved_object.id', + type: 'keyword', + }, + 'kibana.add_to_spaces': { + category: 'kibana', + description: 'The set of space ids that a saved object was shared to.', + example: "['default', 'marketing']", + name: 'kibana.add_to_spaces', + type: 'keyword', + }, + 'kibana.delete_from_spaces': { + category: 'kibana', + description: 'The set of space ids that a saved object was removed from.', + example: "['default', 'marketing']", + name: 'kibana.delete_from_spaces', + type: 'keyword', + }, + 'kibana.authentication_provider': { + category: 'kibana', + description: 'The authentication provider associated with a login event.', + example: 'basic1', + name: 'kibana.authentication_provider', + type: 'keyword', + }, + 'kibana.authentication_type': { + category: 'kibana', + description: 'The authentication provider type associated with a login event.', + example: 'basic', + name: 'kibana.authentication_type', + type: 'keyword', + }, + 'kibana.authentication_realm': { + category: 'kibana', + description: 'The Elasticsearch authentication realm name which fulfilled a login event.', + example: 'native', + name: 'kibana.authentication_realm', + type: 'keyword', + }, + 'kibana.lookup_realm': { + category: 'kibana', + description: 'The Elasticsearch lookup realm which fulfilled a login event.', + example: 'native', + name: 'kibana.lookup_realm', + type: 'keyword', + }, 'kibana.log.tags': { category: 'kibana', description: 'Kibana logging tags. ', @@ -8040,6 +9303,11 @@ export const fieldsBeat: BeatFields = { name: 'logstash.log.log_event', type: 'object', }, + 'logstash.log.log_event.action': { + category: 'logstash', + name: 'logstash.log.log_event.action', + type: 'keyword', + }, 'logstash.log.pipeline_id': { category: 'logstash', description: 'The ID of the pipeline. ', @@ -8637,6 +9905,34 @@ export const fieldsBeat: BeatFields = { name: 'nginx.ingress_controller.remote_ip_list', type: 'array', }, + 'nginx.ingress_controller.upstream_address_list': { + category: 'nginx', + description: + 'An array of the upstream addresses. It is a list because it is common that several upstream servers were contacted during request processing. ', + name: 'nginx.ingress_controller.upstream_address_list', + type: 'keyword', + }, + 'nginx.ingress_controller.upstream.response.length_list': { + category: 'nginx', + description: + 'An array of upstream response lengths. It is a list because it is common that several upstream servers were contacted during request processing. ', + name: 'nginx.ingress_controller.upstream.response.length_list', + type: 'keyword', + }, + 'nginx.ingress_controller.upstream.response.time_list': { + category: 'nginx', + description: + 'An array of upstream response durations. It is a list because it is common that several upstream servers were contacted during request processing. ', + name: 'nginx.ingress_controller.upstream.response.time_list', + type: 'keyword', + }, + 'nginx.ingress_controller.upstream.response.status_code_list': { + category: 'nginx', + description: + 'An array of upstream response status codes. It is a list because it is common that several upstream servers were contacted during request processing. ', + name: 'nginx.ingress_controller.upstream.response.status_code_list', + type: 'keyword', + }, 'nginx.ingress_controller.http.request.length': { category: 'nginx', description: 'The request length (including request line, header, and request body) ', @@ -8665,7 +9961,8 @@ export const fieldsBeat: BeatFields = { }, 'nginx.ingress_controller.upstream.response.length': { category: 'nginx', - description: 'The length of the response obtained from the upstream server ', + description: + 'The length of the response obtained from the upstream server. If several servers were contacted during request process, the summary of the multiple response lengths is stored. ', name: 'nginx.ingress_controller.upstream.response.length', type: 'long', format: 'bytes', @@ -8673,36 +9970,38 @@ export const fieldsBeat: BeatFields = { 'nginx.ingress_controller.upstream.response.time': { category: 'nginx', description: - 'The time spent on receiving the response from the upstream server as seconds with millisecond resolution ', + 'The time spent on receiving the response from the upstream as seconds with millisecond resolution. If several servers were contacted during request process, the summary of the multiple response times is stored. ', name: 'nginx.ingress_controller.upstream.response.time', type: 'double', format: 'duration', }, 'nginx.ingress_controller.upstream.response.status_code': { category: 'nginx', - description: 'The status code of the response obtained from the upstream server ', + description: + 'The status code of the response obtained from the upstream server. If several servers were contacted during request process, only the status code of the response from the last one is stored in this field. ', name: 'nginx.ingress_controller.upstream.response.status_code', type: 'long', }, - 'nginx.ingress_controller.http.request.id': { - category: 'nginx', - description: 'The randomly generated ID of the request ', - name: 'nginx.ingress_controller.http.request.id', - type: 'keyword', - }, 'nginx.ingress_controller.upstream.ip': { category: 'nginx', description: - 'The IP address of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas. ', + 'The IP address of the upstream server. If several servers were contacted during request process, only the last one is stored in this field. ', name: 'nginx.ingress_controller.upstream.ip', type: 'ip', }, 'nginx.ingress_controller.upstream.port': { category: 'nginx', - description: 'The port of the upstream server. ', + description: + 'The port of the upstream server. If several servers were contacted during request process, only the last one is stored in this field. ', name: 'nginx.ingress_controller.upstream.port', type: 'long', }, + 'nginx.ingress_controller.http.request.id': { + category: 'nginx', + description: 'The randomly generated ID of the request ', + name: 'nginx.ingress_controller.http.request.id', + type: 'keyword', + }, 'nginx.ingress_controller.body_sent.bytes': { category: 'nginx', name: 'nginx.ingress_controller.body_sent.bytes', @@ -8831,6 +10130,78 @@ export const fieldsBeat: BeatFields = { name: 'osquery.result.calendar_time', type: 'keyword', }, + 'pensando.dfw.action': { + category: 'pensando', + description: 'Action on the flow. ', + name: 'pensando.dfw.action', + type: 'keyword', + }, + 'pensando.dfw.app_id': { + category: 'pensando', + description: 'Application ID ', + name: 'pensando.dfw.app_id', + type: 'integer', + }, + 'pensando.dfw.destination_address': { + category: 'pensando', + description: 'Address of destination. ', + name: 'pensando.dfw.destination_address', + type: 'keyword', + }, + 'pensando.dfw.destination_port': { + category: 'pensando', + description: 'Port of destination. ', + name: 'pensando.dfw.destination_port', + type: 'integer', + }, + 'pensando.dfw.direction': { + category: 'pensando', + description: 'Direction of the flow ', + name: 'pensando.dfw.direction', + type: 'keyword', + }, + 'pensando.dfw.protocol': { + category: 'pensando', + description: 'Protocol of the flow ', + name: 'pensando.dfw.protocol', + type: 'keyword', + }, + 'pensando.dfw.rule_id': { + category: 'pensando', + description: 'Rule ID that was matched. ', + name: 'pensando.dfw.rule_id', + type: 'keyword', + }, + 'pensando.dfw.session_id': { + category: 'pensando', + description: 'Session ID of the flow ', + name: 'pensando.dfw.session_id', + type: 'integer', + }, + 'pensando.dfw.session_state': { + category: 'pensando', + description: 'Session state of the flow. ', + name: 'pensando.dfw.session_state', + type: 'keyword', + }, + 'pensando.dfw.source_address': { + category: 'pensando', + description: 'Source address of the flow. ', + name: 'pensando.dfw.source_address', + type: 'keyword', + }, + 'pensando.dfw.source_port': { + category: 'pensando', + description: 'Source port of the flow. ', + name: 'pensando.dfw.source_port', + type: 'integer', + }, + 'pensando.dfw.timestamp': { + category: 'pensando', + description: 'Timestamp of the log. ', + name: 'pensando.dfw.timestamp', + type: 'date', + }, 'postgresql.log.timestamp': { category: 'postgresql', description: 'The timestamp from the log line. ', @@ -8838,26 +10209,52 @@ export const fieldsBeat: BeatFields = { }, 'postgresql.log.core_id': { category: 'postgresql', - description: 'Core id ', + description: + 'Core id. (deprecated, there is no core_id in PostgreSQL logs, this is actually session_line_number). ', name: 'postgresql.log.core_id', + type: 'alias', + }, + 'postgresql.log.client_addr': { + category: 'postgresql', + description: 'Host where the connection originated from. ', + example: '127.0.0.1', + name: 'postgresql.log.client_addr', + }, + 'postgresql.log.client_port': { + category: 'postgresql', + description: 'Port where the connection originated from. ', + example: '59700', + name: 'postgresql.log.client_port', + }, + 'postgresql.log.session_id': { + category: 'postgresql', + description: 'PostgreSQL session. ', + example: '5ff1dd98.22', + name: 'postgresql.log.session_id', + }, + 'postgresql.log.session_line_number': { + category: 'postgresql', + description: 'Line number inside a session. (%l in `log_line_prefix`). ', + name: 'postgresql.log.session_line_number', type: 'long', }, 'postgresql.log.database': { category: 'postgresql', - description: 'Name of database ', - example: 'mydb', + description: 'Name of database. ', + example: 'postgres', name: 'postgresql.log.database', }, 'postgresql.log.query': { category: 'postgresql', - description: 'Query statement. ', + description: + 'Query statement. In the case of CSV parse, look at command_tag to get more context. ', example: 'SELECT * FROM users;', name: 'postgresql.log.query', }, 'postgresql.log.query_step': { category: 'postgresql', description: - 'Statement step when using extended query protocol (one of statement, parse, bind or execute) ', + 'Statement step when using extended query protocol (one of statement, parse, bind or execute). ', example: 'parse', name: 'postgresql.log.query_step', }, @@ -8868,20 +10265,98 @@ export const fieldsBeat: BeatFields = { example: 'pdo_stmt_00000001', name: 'postgresql.log.query_name', }, - 'postgresql.log.error.code': { + 'postgresql.log.command_tag': { category: 'postgresql', - description: 'Error code returned by Postgres (if any)', - name: 'postgresql.log.error.code', + description: + "Type of session's current command. The complete list can be found at: src/include/tcop/cmdtaglist.h ", + example: 'SELECT', + name: 'postgresql.log.command_tag', + }, + 'postgresql.log.session_start_time': { + category: 'postgresql', + description: 'Time when this session started. ', + name: 'postgresql.log.session_start_time', + type: 'date', + }, + 'postgresql.log.virtual_transaction_id': { + category: 'postgresql', + description: 'Backend local transaction id. ', + name: 'postgresql.log.virtual_transaction_id', + }, + 'postgresql.log.transaction_id': { + category: 'postgresql', + description: 'The id of current transaction. ', + name: 'postgresql.log.transaction_id', type: 'long', }, - 'postgresql.log.timezone': { + 'postgresql.log.sql_state_code': { category: 'postgresql', - name: 'postgresql.log.timezone', + description: + 'State code returned by Postgres (if any). See also https://www.postgresql.org/docs/current/errcodes-appendix.html ', + name: 'postgresql.log.sql_state_code', + type: 'keyword', + }, + 'postgresql.log.detail': { + category: 'postgresql', + description: + "More information about the message, parameters in case of a parametrized query. e.g. 'Role \\\"user\\\" does not exist.', 'parameters: $1 = 42', etc. ", + name: 'postgresql.log.detail', + }, + 'postgresql.log.hint': { + category: 'postgresql', + description: 'A possible solution to solve an error. ', + name: 'postgresql.log.hint', + }, + 'postgresql.log.internal_query': { + category: 'postgresql', + description: 'Internal query that led to the error (if any). ', + name: 'postgresql.log.internal_query', + }, + 'postgresql.log.internal_query_pos': { + category: 'postgresql', + description: 'Character count of the internal query (if any). ', + name: 'postgresql.log.internal_query_pos', + type: 'long', + }, + 'postgresql.log.context': { + category: 'postgresql', + description: 'Error context. ', + name: 'postgresql.log.context', + }, + 'postgresql.log.query_pos': { + category: 'postgresql', + description: 'Character count of the error position (if any). ', + name: 'postgresql.log.query_pos', + type: 'long', + }, + 'postgresql.log.location': { + category: 'postgresql', + description: + 'Location of the error in the PostgreSQL source code (if log_error_verbosity is set to verbose). ', + name: 'postgresql.log.location', + }, + 'postgresql.log.application_name': { + category: 'postgresql', + description: 'Name of the application of this event. It is defined by the client. ', + name: 'postgresql.log.application_name', + }, + 'postgresql.log.backend_type': { + category: 'postgresql', + description: + 'Type of backend of this event. Possible types are autovacuum launcher, autovacuum worker, logical replication launcher, logical replication worker, parallel worker, background writer, client backend, checkpointer, startup, walreceiver, walsender and walwriter. In addition, background workers registered by extensions may have additional types. ', + example: 'client backend', + name: 'postgresql.log.backend_type', + }, + 'postgresql.log.error.code': { + category: 'postgresql', + description: + 'Error code returned by Postgres (if any). Deprecated: errors can have letters. Use sql_state_code instead. ', + name: 'postgresql.log.error.code', type: 'alias', }, - 'postgresql.log.thread_id': { + 'postgresql.log.timezone': { category: 'postgresql', - name: 'postgresql.log.thread_id', + name: 'postgresql.log.timezone', type: 'alias', }, 'postgresql.log.user': { @@ -8891,6 +10366,9 @@ export const fieldsBeat: BeatFields = { }, 'postgresql.log.level': { category: 'postgresql', + description: + 'Valid values are DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, INFO, NOTICE, WARNING, ERROR, LOG, FATAL, and PANIC. ', + example: 'LOG', name: 'postgresql.log.level', type: 'alias', }, @@ -9537,6 +11015,13 @@ export const fieldsBeat: BeatFields = { name: 'aws.cloudtrail.vpc_endpoint_id', type: 'keyword', }, + 'aws.cloudtrail.event_category': { + category: 'aws', + description: + 'Shows the event category that is used in LookupEvents calls. - For management events, the value is management. - For data events, the value is data. - For Insights events, the value is insight.', + name: 'aws.cloudtrail.event_category', + type: 'keyword', + }, 'aws.cloudtrail.console_login.additional_eventdata.mobile_version': { category: 'aws', description: 'Identifies whether ConsoleLogin was from mobile version', @@ -9580,6 +11065,86 @@ export const fieldsBeat: BeatFields = { name: 'aws.cloudtrail.flattened.service_event_details', type: 'flattened', }, + 'aws.cloudtrail.digest.log_files': { + category: 'aws', + description: 'A list of Logfiles contained in the digest.', + name: 'aws.cloudtrail.digest.log_files', + type: 'nested', + }, + 'aws.cloudtrail.digest.start_time': { + category: 'aws', + description: + 'The starting UTC time range that the digest file covers, taking as a reference the time in which log files have been delivered by CloudTrail.', + name: 'aws.cloudtrail.digest.start_time', + type: 'date', + }, + 'aws.cloudtrail.digest.end_time': { + category: 'aws', + description: + 'The ending UTC time range that the digest file covers, taking as a reference the time in which log files have been delivered by CloudTrail.', + name: 'aws.cloudtrail.digest.end_time', + type: 'date', + }, + 'aws.cloudtrail.digest.s3_bucket': { + category: 'aws', + description: + 'The name of the Amazon S3 bucket to which the current digest file has been delivered.', + name: 'aws.cloudtrail.digest.s3_bucket', + type: 'keyword', + }, + 'aws.cloudtrail.digest.s3_object': { + category: 'aws', + description: + 'The Amazon S3 object key (that is, the Amazon S3 bucket location) of the current digest file.', + name: 'aws.cloudtrail.digest.s3_object', + type: 'keyword', + }, + 'aws.cloudtrail.digest.newest_event_time': { + category: 'aws', + description: + 'The UTC time of the most recent event among all of the events in the log files in the digest.', + name: 'aws.cloudtrail.digest.newest_event_time', + type: 'date', + }, + 'aws.cloudtrail.digest.oldest_event_time': { + category: 'aws', + description: + 'The UTC time of the oldest event among all of the events in the log files in the digest.', + name: 'aws.cloudtrail.digest.oldest_event_time', + type: 'date', + }, + 'aws.cloudtrail.digest.previous_s3_bucket': { + category: 'aws', + description: 'The Amazon S3 bucket to which the previous digest file was delivered.', + name: 'aws.cloudtrail.digest.previous_s3_bucket', + type: 'keyword', + }, + 'aws.cloudtrail.digest.previous_hash_algorithm': { + category: 'aws', + description: 'The name of the hash algorithm that was used to hash the previous digest file.', + name: 'aws.cloudtrail.digest.previous_hash_algorithm', + type: 'keyword', + }, + 'aws.cloudtrail.digest.public_key_fingerprint': { + category: 'aws', + description: + 'The hexadecimal encoded fingerprint of the public key that matches the private key used to sign this digest file.', + name: 'aws.cloudtrail.digest.public_key_fingerprint', + type: 'keyword', + }, + 'aws.cloudtrail.digest.signature_algorithm': { + category: 'aws', + description: 'The algorithm used to sign the digest file.', + name: 'aws.cloudtrail.digest.signature_algorithm', + type: 'keyword', + }, + 'aws.cloudtrail.insight_details': { + category: 'aws', + description: + 'Shows information about the underlying triggers of an Insights event, such as event source, user agent, statistics, API name, and whether the event is the start or end of the Insights event.', + name: 'aws.cloudtrail.insight_details', + type: 'flattened', + }, 'aws.cloudwatch.message': { category: 'aws', description: 'CloudWatch log message. ', @@ -9746,6 +11311,30 @@ export const fieldsBeat: BeatFields = { name: 'aws.elb.error.reason', type: 'keyword', }, + 'aws.elb.target_port': { + category: 'aws', + description: 'List of IP addresses and ports for the targets that processed this request. ', + name: 'aws.elb.target_port', + type: 'keyword', + }, + 'aws.elb.target_status_code': { + category: 'aws', + description: 'List of status codes from the responses of the targets. ', + name: 'aws.elb.target_status_code', + type: 'keyword', + }, + 'aws.elb.classification': { + category: 'aws', + description: 'The classification for desync mitigation. ', + name: 'aws.elb.classification', + type: 'keyword', + }, + 'aws.elb.classification_reason': { + category: 'aws', + description: 'The classification reason code. ', + name: 'aws.elb.classification_reason', + type: 'keyword', + }, 'aws.s3access.bucket_owner': { category: 'aws', description: 'The canonical user ID of the owner of the source bucket. ', @@ -9962,6 +11551,12 @@ export const fieldsBeat: BeatFields = { name: 'aws.vpcflow.tcp_flags', type: 'keyword', }, + 'aws.vpcflow.tcp_flags_array': { + category: 'aws', + description: "List of TCP flags: 'fin, syn, rst, psh, ack, urg' ", + name: 'aws.vpcflow.tcp_flags_array', + type: 'keyword', + }, 'aws.vpcflow.type': { category: 'aws', description: 'The type of traffic: IPv4, IPv6, or EFA. ', @@ -10334,6 +11929,90 @@ export const fieldsBeat: BeatFields = { name: 'azure.auditlogs.properties.initiated_by.user.ipAddress', type: 'keyword', }, + 'azure.platformlogs.operation_name': { + category: 'azure', + description: 'Operation name ', + name: 'azure.platformlogs.operation_name', + type: 'keyword', + }, + 'azure.platformlogs.result_type': { + category: 'azure', + description: 'Result type ', + name: 'azure.platformlogs.result_type', + type: 'keyword', + }, + 'azure.platformlogs.result_signature': { + category: 'azure', + description: 'Result signature ', + name: 'azure.platformlogs.result_signature', + type: 'keyword', + }, + 'azure.platformlogs.category': { + category: 'azure', + description: 'Category ', + name: 'azure.platformlogs.category', + type: 'keyword', + }, + 'azure.platformlogs.event_category': { + category: 'azure', + description: 'Event Category ', + name: 'azure.platformlogs.event_category', + type: 'keyword', + }, + 'azure.platformlogs.status': { + category: 'azure', + description: 'Status ', + name: 'azure.platformlogs.status', + type: 'keyword', + }, + 'azure.platformlogs.ccpNamespace': { + category: 'azure', + description: 'ccpNamespace ', + name: 'azure.platformlogs.ccpNamespace', + type: 'keyword', + }, + 'azure.platformlogs.Cloud': { + category: 'azure', + description: 'Cloud ', + name: 'azure.platformlogs.Cloud', + type: 'keyword', + }, + 'azure.platformlogs.Environment': { + category: 'azure', + description: 'Environment ', + name: 'azure.platformlogs.Environment', + type: 'keyword', + }, + 'azure.platformlogs.EventTimeString': { + category: 'azure', + description: 'EventTimeString ', + name: 'azure.platformlogs.EventTimeString', + type: 'keyword', + }, + 'azure.platformlogs.Caller': { + category: 'azure', + description: 'Caller ', + name: 'azure.platformlogs.Caller', + type: 'keyword', + }, + 'azure.platformlogs.ScaleUnit': { + category: 'azure', + description: 'ScaleUnit ', + name: 'azure.platformlogs.ScaleUnit', + type: 'keyword', + }, + 'azure.platformlogs.ActivityId': { + category: 'azure', + description: 'ActivityId ', + name: 'azure.platformlogs.ActivityId', + type: 'keyword', + }, + 'azure.platformlogs.properties.*': { + category: 'azure', + description: 'Properties ', + name: 'azure.platformlogs.properties.*', + type: 'object', + }, 'azure.signinlogs.operation_name': { category: 'azure', description: 'The operation name ', @@ -17047,6 +18726,331 @@ export const fieldsBeat: BeatFields = { name: 'checkpoint.trusted_domain', type: 'keyword', }, + 'cisco.amp.timestamp_nanoseconds': { + category: 'cisco', + description: 'The timestamp in Epoch nanoseconds. ', + name: 'cisco.amp.timestamp_nanoseconds', + type: 'date', + }, + 'cisco.amp.event_type_id': { + category: 'cisco', + description: 'A sub ID of the event, depending on event type. ', + name: 'cisco.amp.event_type_id', + type: 'keyword', + }, + 'cisco.amp.detection': { + category: 'cisco', + description: 'The name of the malware detected. ', + name: 'cisco.amp.detection', + type: 'keyword', + }, + 'cisco.amp.detection_id': { + category: 'cisco', + description: 'The ID of the detection. ', + name: 'cisco.amp.detection_id', + type: 'keyword', + }, + 'cisco.amp.connector_guid': { + category: 'cisco', + description: 'The GUID of the connector sending information to AMP. ', + name: 'cisco.amp.connector_guid', + type: 'keyword', + }, + 'cisco.amp.group_guids': { + category: 'cisco', + description: 'An array of group GUIDS related to the connector sending information to AMP. ', + name: 'cisco.amp.group_guids', + type: 'keyword', + }, + 'cisco.amp.vulnerabilities': { + category: 'cisco', + description: 'An array of related vulnerabilities to the malicious event. ', + name: 'cisco.amp.vulnerabilities', + type: 'flattened', + }, + 'cisco.amp.scan.description': { + category: 'cisco', + description: + 'Description of an event related to a scan being initiated, for example the specific directory name. ', + name: 'cisco.amp.scan.description', + type: 'keyword', + }, + 'cisco.amp.scan.clean': { + category: 'cisco', + description: 'Boolean value if a scanned file was clean or not. ', + name: 'cisco.amp.scan.clean', + type: 'boolean', + }, + 'cisco.amp.scan.scanned_files': { + category: 'cisco', + description: 'Count of files scanned in a directory. ', + name: 'cisco.amp.scan.scanned_files', + type: 'long', + }, + 'cisco.amp.scan.scanned_processes': { + category: 'cisco', + description: 'Count of processes scanned related to a single scan event. ', + name: 'cisco.amp.scan.scanned_processes', + type: 'long', + }, + 'cisco.amp.scan.scanned_paths': { + category: 'cisco', + description: 'Count of different directories scanned related to a single scan event. ', + name: 'cisco.amp.scan.scanned_paths', + type: 'long', + }, + 'cisco.amp.scan.malicious_detections': { + category: 'cisco', + description: 'Count of malicious files or documents detected related to a single scan event. ', + name: 'cisco.amp.scan.malicious_detections', + type: 'long', + }, + 'cisco.amp.computer.connector_guid': { + category: 'cisco', + description: + 'The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved. ', + name: 'cisco.amp.computer.connector_guid', + type: 'keyword', + }, + 'cisco.amp.computer.external_ip': { + category: 'cisco', + description: 'The external IP of the related host. ', + name: 'cisco.amp.computer.external_ip', + type: 'ip', + }, + 'cisco.amp.computer.active': { + category: 'cisco', + description: 'If the current endpoint is active or not. ', + name: 'cisco.amp.computer.active', + type: 'boolean', + }, + 'cisco.amp.computer.network_addresses': { + category: 'cisco', + description: 'All network interface information on the related host. ', + name: 'cisco.amp.computer.network_addresses', + type: 'flattened', + }, + 'cisco.amp.file.disposition': { + category: 'cisco', + description: 'Categorization of file, for example "Malicious" or "Clean". ', + name: 'cisco.amp.file.disposition', + type: 'keyword', + }, + 'cisco.amp.network_info.disposition': { + category: 'cisco', + description: + 'Categorization of a network event related to a file, for example "Malicious" or "Clean". ', + name: 'cisco.amp.network_info.disposition', + type: 'keyword', + }, + 'cisco.amp.network_info.nfm.direction': { + category: 'cisco', + description: 'The current direction based on source and destination IP. ', + name: 'cisco.amp.network_info.nfm.direction', + type: 'keyword', + }, + 'cisco.amp.related.mac': { + category: 'cisco', + description: 'An array of all related MAC addresses. ', + name: 'cisco.amp.related.mac', + type: 'keyword', + }, + 'cisco.amp.related.cve': { + category: 'cisco', + description: 'An array of all related MAC addresses. ', + name: 'cisco.amp.related.cve', + type: 'keyword', + }, + 'cisco.amp.cloud_ioc.description': { + category: 'cisco', + description: 'Description of the related IOC for specific IOC events from AMP. ', + name: 'cisco.amp.cloud_ioc.description', + type: 'keyword', + }, + 'cisco.amp.cloud_ioc.short_description': { + category: 'cisco', + description: 'Short description of the related IOC for specific IOC events from AMP. ', + name: 'cisco.amp.cloud_ioc.short_description', + type: 'keyword', + }, + 'cisco.amp.network_info.parent.disposition': { + category: 'cisco', + description: 'Categorization of a IOC for example "Malicious" or "Clean". ', + name: 'cisco.amp.network_info.parent.disposition', + type: 'keyword', + }, + 'cisco.amp.network_info.parent.identity.md5': { + category: 'cisco', + description: 'MD5 hash of the related IOC. ', + name: 'cisco.amp.network_info.parent.identity.md5', + type: 'keyword', + }, + 'cisco.amp.network_info.parent.identity.sha1': { + category: 'cisco', + description: 'SHA1 hash of the related IOC. ', + name: 'cisco.amp.network_info.parent.identity.sha1', + type: 'keyword', + }, + 'cisco.amp.network_info.parent.identify.sha256': { + category: 'cisco', + description: 'SHA256 hash of the related IOC. ', + name: 'cisco.amp.network_info.parent.identify.sha256', + type: 'keyword', + }, + 'cisco.amp.file.archived_file.disposition': { + category: 'cisco', + description: + 'Categorization of a file archive related to a file, for example "Malicious" or "Clean". ', + name: 'cisco.amp.file.archived_file.disposition', + type: 'keyword', + }, + 'cisco.amp.file.archived_file.identity.md5': { + category: 'cisco', + description: 'MD5 hash of the archived file related to the malicious event. ', + name: 'cisco.amp.file.archived_file.identity.md5', + type: 'keyword', + }, + 'cisco.amp.file.archived_file.identity.sha1': { + category: 'cisco', + description: 'SHA1 hash of the archived file related to the malicious event. ', + name: 'cisco.amp.file.archived_file.identity.sha1', + type: 'keyword', + }, + 'cisco.amp.file.archived_file.identify.sha256': { + category: 'cisco', + description: 'SHA256 hash of the archived file related to the malicious event. ', + name: 'cisco.amp.file.archived_file.identify.sha256', + type: 'keyword', + }, + 'cisco.amp.file.attack_details.application': { + category: 'cisco', + description: 'The application name related to Exploit Prevention events. ', + name: 'cisco.amp.file.attack_details.application', + type: 'keyword', + }, + 'cisco.amp.file.attack_details.attacked_module': { + category: 'cisco', + description: + 'Path to the executable or dll that was attacked and detected by Exploit Prevention. ', + name: 'cisco.amp.file.attack_details.attacked_module', + type: 'keyword', + }, + 'cisco.amp.file.attack_details.base_address': { + category: 'cisco', + description: 'The base memory address related to the exploit detected. ', + name: 'cisco.amp.file.attack_details.base_address', + type: 'keyword', + }, + 'cisco.amp.file.attack_details.suspicious_files': { + category: 'cisco', + description: 'An array of related files when an attack is detected by Exploit Prevention. ', + name: 'cisco.amp.file.attack_details.suspicious_files', + type: 'keyword', + }, + 'cisco.amp.file.parent.disposition': { + category: 'cisco', + description: 'Categorization of parrent, for example "Malicious" or "Clean". ', + name: 'cisco.amp.file.parent.disposition', + type: 'keyword', + }, + 'cisco.amp.error.description': { + category: 'cisco', + description: 'Description of an endpoint error event. ', + name: 'cisco.amp.error.description', + type: 'keyword', + }, + 'cisco.amp.error.error_code': { + category: 'cisco', + description: 'The error code describing the related error event. ', + name: 'cisco.amp.error.error_code', + type: 'keyword', + }, + 'cisco.amp.threat_hunting.severity': { + category: 'cisco', + description: + 'Severity result of the threat hunt registered to the malicious event. Can be Low-Critical. ', + name: 'cisco.amp.threat_hunting.severity', + type: 'keyword', + }, + 'cisco.amp.threat_hunting.incident_report_guid': { + category: 'cisco', + description: 'The GUID of the related threat hunting report. ', + name: 'cisco.amp.threat_hunting.incident_report_guid', + type: 'keyword', + }, + 'cisco.amp.threat_hunting.incident_hunt_guid': { + category: 'cisco', + description: 'The GUID of the related investigation tracking issue. ', + name: 'cisco.amp.threat_hunting.incident_hunt_guid', + type: 'keyword', + }, + 'cisco.amp.threat_hunting.incident_title': { + category: 'cisco', + description: 'Title of the incident related to the threat hunting activity. ', + name: 'cisco.amp.threat_hunting.incident_title', + type: 'keyword', + }, + 'cisco.amp.threat_hunting.incident_summary': { + category: 'cisco', + description: 'Summary of the outcome on the threat hunting activity. ', + name: 'cisco.amp.threat_hunting.incident_summary', + type: 'keyword', + }, + 'cisco.amp.threat_hunting.incident_remediation': { + category: 'cisco', + description: 'Recommendations to resolve the vulnerability or exploited host. ', + name: 'cisco.amp.threat_hunting.incident_remediation', + type: 'keyword', + }, + 'cisco.amp.threat_hunting.incident_id': { + category: 'cisco', + description: 'The id of the related incident for the threat hunting activity. ', + name: 'cisco.amp.threat_hunting.incident_id', + type: 'keyword', + }, + 'cisco.amp.threat_hunting.incident_end_time': { + category: 'cisco', + description: 'When the threat hunt finalized or closed. ', + name: 'cisco.amp.threat_hunting.incident_end_time', + type: 'date', + }, + 'cisco.amp.threat_hunting.incident_start_time': { + category: 'cisco', + description: 'When the threat hunt was initiated. ', + name: 'cisco.amp.threat_hunting.incident_start_time', + type: 'date', + }, + 'cisco.amp.file.attack_details.indicators': { + category: 'cisco', + description: + 'Different indicator types that matches the exploit detected, for example different MITRE tactics. ', + name: 'cisco.amp.file.attack_details.indicators', + type: 'flattened', + }, + 'cisco.amp.threat_hunting.tactics': { + category: 'cisco', + description: 'List of all MITRE tactics related to the incident found. ', + name: 'cisco.amp.threat_hunting.tactics', + type: 'flattened', + }, + 'cisco.amp.threat_hunting.techniques': { + category: 'cisco', + description: 'List of all MITRE techniques related to the incident found. ', + name: 'cisco.amp.threat_hunting.techniques', + type: 'flattened', + }, + 'cisco.amp.tactics': { + category: 'cisco', + description: 'List of all MITRE tactics related to the incident found. ', + name: 'cisco.amp.tactics', + type: 'flattened', + }, + 'cisco.amp.techniques': { + category: 'cisco', + description: 'List of all MITRE techniques related to the incident found. ', + name: 'cisco.amp.techniques', + type: 'flattened', + }, 'cisco.asa.message_id': { category: 'cisco', description: 'The Cisco ASA message identifier. ', @@ -17170,6 +19174,72 @@ export const fieldsBeat: BeatFields = { name: 'cisco.asa.dap_records', type: 'keyword', }, + 'cisco.asa.command_line_arguments': { + category: 'cisco', + description: 'The command line arguments logged by the local audit log ', + name: 'cisco.asa.command_line_arguments', + type: 'keyword', + }, + 'cisco.asa.assigned_ip': { + category: 'cisco', + description: 'The IP address assigned to a VPN client successfully connecting ', + name: 'cisco.asa.assigned_ip', + type: 'ip', + }, + 'cisco.asa.privilege.old': { + category: 'cisco', + description: 'When a users privilege is changed this is the old value ', + name: 'cisco.asa.privilege.old', + type: 'keyword', + }, + 'cisco.asa.privilege.new': { + category: 'cisco', + description: 'When a users privilege is changed this is the new value ', + name: 'cisco.asa.privilege.new', + type: 'keyword', + }, + 'cisco.asa.burst.object': { + category: 'cisco', + description: 'The related object for burst warnings ', + name: 'cisco.asa.burst.object', + type: 'keyword', + }, + 'cisco.asa.burst.id': { + category: 'cisco', + description: 'The related rate ID for burst warnings ', + name: 'cisco.asa.burst.id', + type: 'keyword', + }, + 'cisco.asa.burst.current_rate': { + category: 'cisco', + description: 'The current burst rate seen ', + name: 'cisco.asa.burst.current_rate', + type: 'keyword', + }, + 'cisco.asa.burst.configured_rate': { + category: 'cisco', + description: 'The current configured burst rate ', + name: 'cisco.asa.burst.configured_rate', + type: 'keyword', + }, + 'cisco.asa.burst.avg_rate': { + category: 'cisco', + description: 'The current average burst rate seen ', + name: 'cisco.asa.burst.avg_rate', + type: 'keyword', + }, + 'cisco.asa.burst.configured_avg_rate': { + category: 'cisco', + description: 'The current configured average burst rate allowed ', + name: 'cisco.asa.burst.configured_avg_rate', + type: 'keyword', + }, + 'cisco.asa.burst.cumulative_count': { + category: 'cisco', + description: 'The total count of burst rate hits since the object was created or cleared ', + name: 'cisco.asa.burst.cumulative_count', + type: 'keyword', + }, 'cisco.ftd.message_id': { category: 'cisco', description: 'The Cisco FTD message identifier. ', @@ -17313,6 +19383,96 @@ export const fieldsBeat: BeatFields = { name: 'cisco.ios.facility', type: 'keyword', }, + 'cisco.umbrella.identities': { + category: 'cisco', + description: 'An array of the different identities related to the event. ', + name: 'cisco.umbrella.identities', + type: 'keyword', + }, + 'cisco.umbrella.categories': { + category: 'cisco', + description: 'The security or content categories that the destination matches. ', + name: 'cisco.umbrella.categories', + type: 'keyword', + }, + 'cisco.umbrella.policy_identity_type': { + category: 'cisco', + description: + 'The first identity type matched with this request. Available in version 3 and above. ', + name: 'cisco.umbrella.policy_identity_type', + type: 'keyword', + }, + 'cisco.umbrella.identity_types': { + category: 'cisco', + description: + 'The type of identity that made the request. For example, Roaming Computer or Network. ', + name: 'cisco.umbrella.identity_types', + type: 'keyword', + }, + 'cisco.umbrella.blocked_categories': { + category: 'cisco', + description: + 'The categories that resulted in the destination being blocked. Available in version 4 and above. ', + name: 'cisco.umbrella.blocked_categories', + type: 'keyword', + }, + 'cisco.umbrella.content_type': { + category: 'cisco', + description: 'The type of web content, typically text/html. ', + name: 'cisco.umbrella.content_type', + type: 'keyword', + }, + 'cisco.umbrella.sha_sha256': { + category: 'cisco', + description: 'Hex digest of the response content. ', + name: 'cisco.umbrella.sha_sha256', + type: 'keyword', + }, + 'cisco.umbrella.av_detections': { + category: 'cisco', + description: 'The detection name according to the antivirus engine used in file inspection. ', + name: 'cisco.umbrella.av_detections', + type: 'keyword', + }, + 'cisco.umbrella.puas': { + category: 'cisco', + description: + 'A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. ', + name: 'cisco.umbrella.puas', + type: 'keyword', + }, + 'cisco.umbrella.amp_disposition': { + category: 'cisco', + description: + 'The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown. ', + name: 'cisco.umbrella.amp_disposition', + type: 'keyword', + }, + 'cisco.umbrella.amp_malware_name': { + category: 'cisco', + description: 'If Malicious, the name of the malware according to AMP. ', + name: 'cisco.umbrella.amp_malware_name', + type: 'keyword', + }, + 'cisco.umbrella.amp_score': { + category: 'cisco', + description: + 'The score of the malware from AMP. This field is not currently used and will be blank. ', + name: 'cisco.umbrella.amp_score', + type: 'keyword', + }, + 'cisco.umbrella.datacenter': { + category: 'cisco', + description: 'The name of the Umbrella Data Center that processed the user-generated traffic. ', + name: 'cisco.umbrella.datacenter', + type: 'keyword', + }, + 'cisco.umbrella.origin_id': { + category: 'cisco', + description: 'The unique identity of the network tunnel. ', + name: 'cisco.umbrella.origin_id', + type: 'keyword', + }, 'coredns.id': { category: 'coredns', description: 'id of the DNS transaction ', @@ -19284,7 +21444,7 @@ export const fieldsBeat: BeatFields = { category: 'fortinet', description: 'Memory usage system statistics ', name: 'fortinet.firewall.mem', - type: 'keyword', + type: 'integer', }, 'fortinet.firewall.meshmode': { category: 'fortinet', @@ -20504,341 +22664,1174 @@ export const fieldsBeat: BeatFields = { name: 'fortinet.firewall.weakwepiv', type: 'keyword', }, - 'fortinet.firewall.xauthgroup': { - category: 'fortinet', - description: 'XAuth Group Name ', - name: 'fortinet.firewall.xauthgroup', + 'fortinet.firewall.xauthgroup': { + category: 'fortinet', + description: 'XAuth Group Name ', + name: 'fortinet.firewall.xauthgroup', + type: 'keyword', + }, + 'fortinet.firewall.xauthuser': { + category: 'fortinet', + description: 'XAuth User Name ', + name: 'fortinet.firewall.xauthuser', + type: 'keyword', + }, + 'fortinet.firewall.xid': { + category: 'fortinet', + description: 'Wireless X ID ', + name: 'fortinet.firewall.xid', + type: 'integer', + }, + 'googlecloud.destination.instance.project_id': { + category: 'googlecloud', + description: 'ID of the project containing the VM. ', + name: 'googlecloud.destination.instance.project_id', + type: 'keyword', + }, + 'googlecloud.destination.instance.region': { + category: 'googlecloud', + description: 'Region of the VM. ', + name: 'googlecloud.destination.instance.region', + type: 'keyword', + }, + 'googlecloud.destination.instance.zone': { + category: 'googlecloud', + description: 'Zone of the VM. ', + name: 'googlecloud.destination.instance.zone', + type: 'keyword', + }, + 'googlecloud.destination.vpc.project_id': { + category: 'googlecloud', + description: 'ID of the project containing the VM. ', + name: 'googlecloud.destination.vpc.project_id', + type: 'keyword', + }, + 'googlecloud.destination.vpc.vpc_name': { + category: 'googlecloud', + description: 'VPC on which the VM is operating. ', + name: 'googlecloud.destination.vpc.vpc_name', + type: 'keyword', + }, + 'googlecloud.destination.vpc.subnetwork_name': { + category: 'googlecloud', + description: 'Subnetwork on which the VM is operating. ', + name: 'googlecloud.destination.vpc.subnetwork_name', + type: 'keyword', + }, + 'googlecloud.source.instance.project_id': { + category: 'googlecloud', + description: 'ID of the project containing the VM. ', + name: 'googlecloud.source.instance.project_id', + type: 'keyword', + }, + 'googlecloud.source.instance.region': { + category: 'googlecloud', + description: 'Region of the VM. ', + name: 'googlecloud.source.instance.region', + type: 'keyword', + }, + 'googlecloud.source.instance.zone': { + category: 'googlecloud', + description: 'Zone of the VM. ', + name: 'googlecloud.source.instance.zone', + type: 'keyword', + }, + 'googlecloud.source.vpc.project_id': { + category: 'googlecloud', + description: 'ID of the project containing the VM. ', + name: 'googlecloud.source.vpc.project_id', + type: 'keyword', + }, + 'googlecloud.source.vpc.vpc_name': { + category: 'googlecloud', + description: 'VPC on which the VM is operating. ', + name: 'googlecloud.source.vpc.vpc_name', + type: 'keyword', + }, + 'googlecloud.source.vpc.subnetwork_name': { + category: 'googlecloud', + description: 'Subnetwork on which the VM is operating. ', + name: 'googlecloud.source.vpc.subnetwork_name', + type: 'keyword', + }, + 'googlecloud.audit.type': { + category: 'googlecloud', + description: 'Type property. ', + name: 'googlecloud.audit.type', + type: 'keyword', + }, + 'googlecloud.audit.authentication_info.principal_email': { + category: 'googlecloud', + description: 'The email address of the authenticated user making the request. ', + name: 'googlecloud.audit.authentication_info.principal_email', + type: 'keyword', + }, + 'googlecloud.audit.authentication_info.authority_selector': { + category: 'googlecloud', + description: + 'The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. ', + name: 'googlecloud.audit.authentication_info.authority_selector', + type: 'keyword', + }, + 'googlecloud.audit.authorization_info.permission': { + category: 'googlecloud', + description: 'The required IAM permission. ', + name: 'googlecloud.audit.authorization_info.permission', + type: 'keyword', + }, + 'googlecloud.audit.authorization_info.granted': { + category: 'googlecloud', + description: 'Whether or not authorization for resource and permission was granted. ', + name: 'googlecloud.audit.authorization_info.granted', + type: 'boolean', + }, + 'googlecloud.audit.authorization_info.resource_attributes.service': { + category: 'googlecloud', + description: 'The name of the service. ', + name: 'googlecloud.audit.authorization_info.resource_attributes.service', + type: 'keyword', + }, + 'googlecloud.audit.authorization_info.resource_attributes.name': { + category: 'googlecloud', + description: 'The name of the resource. ', + name: 'googlecloud.audit.authorization_info.resource_attributes.name', + type: 'keyword', + }, + 'googlecloud.audit.authorization_info.resource_attributes.type': { + category: 'googlecloud', + description: 'The type of the resource. ', + name: 'googlecloud.audit.authorization_info.resource_attributes.type', + type: 'keyword', + }, + 'googlecloud.audit.method_name': { + category: 'googlecloud', + description: + "The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. ", + name: 'googlecloud.audit.method_name', + type: 'keyword', + }, + 'googlecloud.audit.num_response_items': { + category: 'googlecloud', + description: 'The number of items returned from a List or Query API method, if applicable. ', + name: 'googlecloud.audit.num_response_items', + type: 'long', + }, + 'googlecloud.audit.request.proto_name': { + category: 'googlecloud', + description: 'Type property of the request. ', + name: 'googlecloud.audit.request.proto_name', + type: 'keyword', + }, + 'googlecloud.audit.request.filter': { + category: 'googlecloud', + description: 'Filter of the request. ', + name: 'googlecloud.audit.request.filter', + type: 'keyword', + }, + 'googlecloud.audit.request.name': { + category: 'googlecloud', + description: 'Name of the request. ', + name: 'googlecloud.audit.request.name', + type: 'keyword', + }, + 'googlecloud.audit.request.resource_name': { + category: 'googlecloud', + description: 'Name of the request resource. ', + name: 'googlecloud.audit.request.resource_name', + type: 'keyword', + }, + 'googlecloud.audit.request_metadata.caller_ip': { + category: 'googlecloud', + description: 'The IP address of the caller. ', + name: 'googlecloud.audit.request_metadata.caller_ip', + type: 'ip', + }, + 'googlecloud.audit.request_metadata.caller_supplied_user_agent': { + category: 'googlecloud', + description: + 'The user agent of the caller. This information is not authenticated and should be treated accordingly. ', + name: 'googlecloud.audit.request_metadata.caller_supplied_user_agent', + type: 'keyword', + }, + 'googlecloud.audit.response.proto_name': { + category: 'googlecloud', + description: 'Type property of the response. ', + name: 'googlecloud.audit.response.proto_name', + type: 'keyword', + }, + 'googlecloud.audit.response.details.group': { + category: 'googlecloud', + description: 'The name of the group. ', + name: 'googlecloud.audit.response.details.group', + type: 'keyword', + }, + 'googlecloud.audit.response.details.kind': { + category: 'googlecloud', + description: 'The kind of the response details. ', + name: 'googlecloud.audit.response.details.kind', + type: 'keyword', + }, + 'googlecloud.audit.response.details.name': { + category: 'googlecloud', + description: 'The name of the response details. ', + name: 'googlecloud.audit.response.details.name', + type: 'keyword', + }, + 'googlecloud.audit.response.details.uid': { + category: 'googlecloud', + description: 'The uid of the response details. ', + name: 'googlecloud.audit.response.details.uid', + type: 'keyword', + }, + 'googlecloud.audit.response.status': { + category: 'googlecloud', + description: 'Status of the response. ', + name: 'googlecloud.audit.response.status', + type: 'keyword', + }, + 'googlecloud.audit.resource_name': { + category: 'googlecloud', + description: + "The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. ", + name: 'googlecloud.audit.resource_name', + type: 'keyword', + }, + 'googlecloud.audit.resource_location.current_locations': { + category: 'googlecloud', + description: 'Current locations of the resource. ', + name: 'googlecloud.audit.resource_location.current_locations', + type: 'keyword', + }, + 'googlecloud.audit.service_name': { + category: 'googlecloud', + description: + 'The name of the API service performing the operation. For example, datastore.googleapis.com. ', + name: 'googlecloud.audit.service_name', + type: 'keyword', + }, + 'googlecloud.audit.status.code': { + category: 'googlecloud', + description: 'The status code, which should be an enum value of google.rpc.Code. ', + name: 'googlecloud.audit.status.code', + type: 'integer', + }, + 'googlecloud.audit.status.message': { + category: 'googlecloud', + description: + 'A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. ', + name: 'googlecloud.audit.status.message', + type: 'keyword', + }, + 'googlecloud.firewall.rule_details.priority': { + category: 'googlecloud', + description: 'The priority for the firewall rule.', + name: 'googlecloud.firewall.rule_details.priority', + type: 'long', + }, + 'googlecloud.firewall.rule_details.action': { + category: 'googlecloud', + description: 'Action that the rule performs on match.', + name: 'googlecloud.firewall.rule_details.action', + type: 'keyword', + }, + 'googlecloud.firewall.rule_details.direction': { + category: 'googlecloud', + description: 'Direction of traffic that matches this rule.', + name: 'googlecloud.firewall.rule_details.direction', + type: 'keyword', + }, + 'googlecloud.firewall.rule_details.reference': { + category: 'googlecloud', + description: 'Reference to the firewall rule.', + name: 'googlecloud.firewall.rule_details.reference', + type: 'keyword', + }, + 'googlecloud.firewall.rule_details.source_range': { + category: 'googlecloud', + description: 'List of source ranges that the firewall rule applies to.', + name: 'googlecloud.firewall.rule_details.source_range', + type: 'keyword', + }, + 'googlecloud.firewall.rule_details.destination_range': { + category: 'googlecloud', + description: 'List of destination ranges that the firewall applies to.', + name: 'googlecloud.firewall.rule_details.destination_range', + type: 'keyword', + }, + 'googlecloud.firewall.rule_details.source_tag': { + category: 'googlecloud', + description: 'List of all the source tags that the firewall rule applies to. ', + name: 'googlecloud.firewall.rule_details.source_tag', + type: 'keyword', + }, + 'googlecloud.firewall.rule_details.target_tag': { + category: 'googlecloud', + description: 'List of all the target tags that the firewall rule applies to. ', + name: 'googlecloud.firewall.rule_details.target_tag', + type: 'keyword', + }, + 'googlecloud.firewall.rule_details.ip_port_info': { + category: 'googlecloud', + description: 'List of ip protocols and applicable port ranges for rules. ', + name: 'googlecloud.firewall.rule_details.ip_port_info', + type: 'array', + }, + 'googlecloud.firewall.rule_details.source_service_account': { + category: 'googlecloud', + description: 'List of all the source service accounts that the firewall rule applies to. ', + name: 'googlecloud.firewall.rule_details.source_service_account', + type: 'keyword', + }, + 'googlecloud.firewall.rule_details.target_service_account': { + category: 'googlecloud', + description: 'List of all the target service accounts that the firewall rule applies to. ', + name: 'googlecloud.firewall.rule_details.target_service_account', + type: 'keyword', + }, + 'googlecloud.vpcflow.reporter': { + category: 'googlecloud', + description: "The side which reported the flow. Can be either 'SRC' or 'DEST'. ", + name: 'googlecloud.vpcflow.reporter', + type: 'keyword', + }, + 'googlecloud.vpcflow.rtt.ms': { + category: 'googlecloud', + description: + 'Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. ', + name: 'googlecloud.vpcflow.rtt.ms', + type: 'long', + }, + 'google_workspace.actor.type': { + category: 'google_workspace', + description: + 'The type of actor. Values can be: *USER*: Another user in the same domain. *EXTERNAL_USER*: A user outside the domain. *KEY*: A non-human actor. ', + name: 'google_workspace.actor.type', + type: 'keyword', + }, + 'google_workspace.actor.key': { + category: 'google_workspace', + description: + 'Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. ', + name: 'google_workspace.actor.key', + type: 'keyword', + }, + 'google_workspace.event.type': { + category: 'google_workspace', + description: + 'The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list ', + example: 'audit#activity', + name: 'google_workspace.event.type', + type: 'keyword', + }, + 'google_workspace.kind': { + category: 'google_workspace', + description: + 'The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list ', + example: 'audit#activity', + name: 'google_workspace.kind', + type: 'keyword', + }, + 'google_workspace.organization.domain': { + category: 'google_workspace', + description: "The domain that is affected by the report's event. ", + name: 'google_workspace.organization.domain', + type: 'keyword', + }, + 'google_workspace.admin.application.edition': { + category: 'google_workspace', + description: 'The Google Workspace edition.', + name: 'google_workspace.admin.application.edition', + type: 'keyword', + }, + 'google_workspace.admin.application.name': { + category: 'google_workspace', + description: "The application's name.", + name: 'google_workspace.admin.application.name', + type: 'keyword', + }, + 'google_workspace.admin.application.enabled': { + category: 'google_workspace', + description: 'The enabled application.', + name: 'google_workspace.admin.application.enabled', + type: 'keyword', + }, + 'google_workspace.admin.application.licences_order_number': { + category: 'google_workspace', + description: 'Order number used to redeem licenses.', + name: 'google_workspace.admin.application.licences_order_number', + type: 'keyword', + }, + 'google_workspace.admin.application.licences_purchased': { + category: 'google_workspace', + description: 'Number of licences purchased.', + name: 'google_workspace.admin.application.licences_purchased', + type: 'keyword', + }, + 'google_workspace.admin.application.id': { + category: 'google_workspace', + description: 'The application ID.', + name: 'google_workspace.admin.application.id', + type: 'keyword', + }, + 'google_workspace.admin.application.asp_id': { + category: 'google_workspace', + description: 'The application specific password ID.', + name: 'google_workspace.admin.application.asp_id', + type: 'keyword', + }, + 'google_workspace.admin.application.package_id': { + category: 'google_workspace', + description: 'The mobile application package ID.', + name: 'google_workspace.admin.application.package_id', + type: 'keyword', + }, + 'google_workspace.admin.group.email': { + category: 'google_workspace', + description: "The group's primary email address.", + name: 'google_workspace.admin.group.email', + type: 'keyword', + }, + 'google_workspace.admin.new_value': { + category: 'google_workspace', + description: 'The new value for the setting.', + name: 'google_workspace.admin.new_value', + type: 'keyword', + }, + 'google_workspace.admin.old_value': { + category: 'google_workspace', + description: 'The old value for the setting.', + name: 'google_workspace.admin.old_value', + type: 'keyword', + }, + 'google_workspace.admin.org_unit.name': { + category: 'google_workspace', + description: 'The organizational unit name.', + name: 'google_workspace.admin.org_unit.name', + type: 'keyword', + }, + 'google_workspace.admin.org_unit.full': { + category: 'google_workspace', + description: 'The org unit full path including the root org unit name.', + name: 'google_workspace.admin.org_unit.full', + type: 'keyword', + }, + 'google_workspace.admin.setting.name': { + category: 'google_workspace', + description: 'The setting name.', + name: 'google_workspace.admin.setting.name', + type: 'keyword', + }, + 'google_workspace.admin.user_defined_setting.name': { + category: 'google_workspace', + description: 'The name of the user-defined setting.', + name: 'google_workspace.admin.user_defined_setting.name', + type: 'keyword', + }, + 'google_workspace.admin.setting.description': { + category: 'google_workspace', + description: 'The setting name.', + name: 'google_workspace.admin.setting.description', + type: 'keyword', + }, + 'google_workspace.admin.group.priorities': { + category: 'google_workspace', + description: 'Group priorities.', + name: 'google_workspace.admin.group.priorities', + type: 'keyword', + }, + 'google_workspace.admin.domain.alias': { + category: 'google_workspace', + description: 'The domain alias.', + name: 'google_workspace.admin.domain.alias', + type: 'keyword', + }, + 'google_workspace.admin.domain.name': { + category: 'google_workspace', + description: 'The primary domain name.', + name: 'google_workspace.admin.domain.name', + type: 'keyword', + }, + 'google_workspace.admin.domain.secondary_name': { + category: 'google_workspace', + description: 'The secondary domain name.', + name: 'google_workspace.admin.domain.secondary_name', + type: 'keyword', + }, + 'google_workspace.admin.managed_configuration': { + category: 'google_workspace', + description: 'The name of the managed configuration.', + name: 'google_workspace.admin.managed_configuration', + type: 'keyword', + }, + 'google_workspace.admin.non_featured_services_selection': { + category: 'google_workspace', + description: + 'Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED ', + name: 'google_workspace.admin.non_featured_services_selection', + type: 'keyword', + }, + 'google_workspace.admin.field': { + category: 'google_workspace', + description: 'The name of the field.', + name: 'google_workspace.admin.field', + type: 'keyword', + }, + 'google_workspace.admin.resource.id': { + category: 'google_workspace', + description: 'The name of the resource identifier.', + name: 'google_workspace.admin.resource.id', + type: 'keyword', + }, + 'google_workspace.admin.user.email': { + category: 'google_workspace', + description: "The user's primary email address.", + name: 'google_workspace.admin.user.email', + type: 'keyword', + }, + 'google_workspace.admin.user.nickname': { + category: 'google_workspace', + description: "The user's nickname.", + name: 'google_workspace.admin.user.nickname', + type: 'keyword', + }, + 'google_workspace.admin.user.birthdate': { + category: 'google_workspace', + description: "The user's birth date.", + name: 'google_workspace.admin.user.birthdate', + type: 'date', + }, + 'google_workspace.admin.gateway.name': { + category: 'google_workspace', + description: 'Gateway name. Present on some chat settings.', + name: 'google_workspace.admin.gateway.name', + type: 'keyword', + }, + 'google_workspace.admin.chrome_os.session_type': { + category: 'google_workspace', + description: 'Chrome OS session type.', + name: 'google_workspace.admin.chrome_os.session_type', + type: 'keyword', + }, + 'google_workspace.admin.device.serial_number': { + category: 'google_workspace', + description: 'Device serial number.', + name: 'google_workspace.admin.device.serial_number', + type: 'keyword', + }, + 'google_workspace.admin.device.id': { + category: 'google_workspace', + name: 'google_workspace.admin.device.id', + type: 'keyword', + }, + 'google_workspace.admin.device.type': { + category: 'google_workspace', + description: 'Device type.', + name: 'google_workspace.admin.device.type', + type: 'keyword', + }, + 'google_workspace.admin.print_server.name': { + category: 'google_workspace', + description: 'The name of the print server.', + name: 'google_workspace.admin.print_server.name', + type: 'keyword', + }, + 'google_workspace.admin.printer.name': { + category: 'google_workspace', + description: 'The name of the printer.', + name: 'google_workspace.admin.printer.name', + type: 'keyword', + }, + 'google_workspace.admin.device.command_details': { + category: 'google_workspace', + description: 'Command details.', + name: 'google_workspace.admin.device.command_details', + type: 'keyword', + }, + 'google_workspace.admin.role.id': { + category: 'google_workspace', + description: 'Unique identifier for this role privilege.', + name: 'google_workspace.admin.role.id', + type: 'keyword', + }, + 'google_workspace.admin.role.name': { + category: 'google_workspace', + description: + 'The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings ', + name: 'google_workspace.admin.role.name', + type: 'keyword', + }, + 'google_workspace.admin.privilege.name': { + category: 'google_workspace', + description: 'Privilege name.', + name: 'google_workspace.admin.privilege.name', + type: 'keyword', + }, + 'google_workspace.admin.service.name': { + category: 'google_workspace', + description: 'The service name.', + name: 'google_workspace.admin.service.name', + type: 'keyword', + }, + 'google_workspace.admin.url.name': { + category: 'google_workspace', + description: 'The website name.', + name: 'google_workspace.admin.url.name', + type: 'keyword', + }, + 'google_workspace.admin.product.name': { + category: 'google_workspace', + description: 'The product name.', + name: 'google_workspace.admin.product.name', + type: 'keyword', + }, + 'google_workspace.admin.product.sku': { + category: 'google_workspace', + description: 'The product SKU.', + name: 'google_workspace.admin.product.sku', + type: 'keyword', + }, + 'google_workspace.admin.bulk_upload.failed': { + category: 'google_workspace', + description: 'Number of failed records in bulk upload operation.', + name: 'google_workspace.admin.bulk_upload.failed', + type: 'long', + }, + 'google_workspace.admin.bulk_upload.total': { + category: 'google_workspace', + description: 'Number of total records in bulk upload operation.', + name: 'google_workspace.admin.bulk_upload.total', + type: 'long', + }, + 'google_workspace.admin.group.allowed_list': { + category: 'google_workspace', + description: 'Names of allow-listed groups.', + name: 'google_workspace.admin.group.allowed_list', + type: 'keyword', + }, + 'google_workspace.admin.email.quarantine_name': { + category: 'google_workspace', + description: 'The name of the quarantine.', + name: 'google_workspace.admin.email.quarantine_name', + type: 'keyword', + }, + 'google_workspace.admin.email.log_search_filter.message_id': { + category: 'google_workspace', + description: "The log search filter's email message ID.", + name: 'google_workspace.admin.email.log_search_filter.message_id', + type: 'keyword', + }, + 'google_workspace.admin.email.log_search_filter.start_date': { + category: 'google_workspace', + description: "The log search filter's start date.", + name: 'google_workspace.admin.email.log_search_filter.start_date', + type: 'date', + }, + 'google_workspace.admin.email.log_search_filter.end_date': { + category: 'google_workspace', + description: "The log search filter's ending date.", + name: 'google_workspace.admin.email.log_search_filter.end_date', + type: 'date', + }, + 'google_workspace.admin.email.log_search_filter.recipient.value': { + category: 'google_workspace', + description: "The log search filter's email recipient.", + name: 'google_workspace.admin.email.log_search_filter.recipient.value', + type: 'keyword', + }, + 'google_workspace.admin.email.log_search_filter.sender.value': { + category: 'google_workspace', + description: "The log search filter's email sender.", + name: 'google_workspace.admin.email.log_search_filter.sender.value', + type: 'keyword', + }, + 'google_workspace.admin.email.log_search_filter.recipient.ip': { + category: 'google_workspace', + description: "The log search filter's email recipient's IP address.", + name: 'google_workspace.admin.email.log_search_filter.recipient.ip', + type: 'ip', + }, + 'google_workspace.admin.email.log_search_filter.sender.ip': { + category: 'google_workspace', + description: "The log search filter's email sender's IP address.", + name: 'google_workspace.admin.email.log_search_filter.sender.ip', + type: 'ip', + }, + 'google_workspace.admin.chrome_licenses.enabled': { + category: 'google_workspace', + description: + 'Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings ', + name: 'google_workspace.admin.chrome_licenses.enabled', + type: 'keyword', + }, + 'google_workspace.admin.chrome_licenses.allowed': { + category: 'google_workspace', + description: + 'Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings ', + name: 'google_workspace.admin.chrome_licenses.allowed', + type: 'keyword', + }, + 'google_workspace.admin.oauth2.service.name': { + category: 'google_workspace', + description: + 'OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings ', + name: 'google_workspace.admin.oauth2.service.name', + type: 'keyword', + }, + 'google_workspace.admin.oauth2.application.id': { + category: 'google_workspace', + description: 'OAuth2 application ID.', + name: 'google_workspace.admin.oauth2.application.id', + type: 'keyword', + }, + 'google_workspace.admin.oauth2.application.name': { + category: 'google_workspace', + description: 'OAuth2 application name.', + name: 'google_workspace.admin.oauth2.application.name', + type: 'keyword', + }, + 'google_workspace.admin.oauth2.application.type': { + category: 'google_workspace', + description: + 'OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings ', + name: 'google_workspace.admin.oauth2.application.type', + type: 'keyword', + }, + 'google_workspace.admin.verification_method': { + category: 'google_workspace', + description: + 'Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings ', + name: 'google_workspace.admin.verification_method', + type: 'keyword', + }, + 'google_workspace.admin.alert.name': { + category: 'google_workspace', + description: 'The alert name.', + name: 'google_workspace.admin.alert.name', + type: 'keyword', + }, + 'google_workspace.admin.rule.name': { + category: 'google_workspace', + description: 'The rule name.', + name: 'google_workspace.admin.rule.name', + type: 'keyword', + }, + 'google_workspace.admin.api.client.name': { + category: 'google_workspace', + description: 'The API client name.', + name: 'google_workspace.admin.api.client.name', + type: 'keyword', + }, + 'google_workspace.admin.api.scopes': { + category: 'google_workspace', + description: 'The API scopes.', + name: 'google_workspace.admin.api.scopes', + type: 'keyword', + }, + 'google_workspace.admin.mdm.token': { + category: 'google_workspace', + description: 'The MDM vendor enrollment token.', + name: 'google_workspace.admin.mdm.token', + type: 'keyword', + }, + 'google_workspace.admin.mdm.vendor': { + category: 'google_workspace', + description: "The MDM vendor's name.", + name: 'google_workspace.admin.mdm.vendor', + type: 'keyword', + }, + 'google_workspace.admin.info_type': { + category: 'google_workspace', + description: + 'This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings ', + name: 'google_workspace.admin.info_type', + type: 'keyword', + }, + 'google_workspace.admin.email_monitor.dest_email': { + category: 'google_workspace', + description: 'The destination address of the email monitor.', + name: 'google_workspace.admin.email_monitor.dest_email', + type: 'keyword', + }, + 'google_workspace.admin.email_monitor.level.chat': { + category: 'google_workspace', + description: 'The chat email monitor level.', + name: 'google_workspace.admin.email_monitor.level.chat', + type: 'keyword', + }, + 'google_workspace.admin.email_monitor.level.draft': { + category: 'google_workspace', + description: 'The draft email monitor level.', + name: 'google_workspace.admin.email_monitor.level.draft', type: 'keyword', }, - 'fortinet.firewall.xauthuser': { - category: 'fortinet', - description: 'XAuth User Name ', - name: 'fortinet.firewall.xauthuser', + 'google_workspace.admin.email_monitor.level.incoming': { + category: 'google_workspace', + description: 'The incoming email monitor level.', + name: 'google_workspace.admin.email_monitor.level.incoming', type: 'keyword', }, - 'fortinet.firewall.xid': { - category: 'fortinet', - description: 'Wireless X ID ', - name: 'fortinet.firewall.xid', - type: 'integer', - }, - 'googlecloud.destination.instance.project_id': { - category: 'googlecloud', - description: 'ID of the project containing the VM. ', - name: 'googlecloud.destination.instance.project_id', + 'google_workspace.admin.email_monitor.level.outgoing': { + category: 'google_workspace', + description: 'The outgoing email monitor level.', + name: 'google_workspace.admin.email_monitor.level.outgoing', type: 'keyword', }, - 'googlecloud.destination.instance.region': { - category: 'googlecloud', - description: 'Region of the VM. ', - name: 'googlecloud.destination.instance.region', + 'google_workspace.admin.email_dump.include_deleted': { + category: 'google_workspace', + description: 'Indicates if deleted emails are included in the export.', + name: 'google_workspace.admin.email_dump.include_deleted', + type: 'boolean', + }, + 'google_workspace.admin.email_dump.package_content': { + category: 'google_workspace', + description: 'The contents of the mailbox package.', + name: 'google_workspace.admin.email_dump.package_content', type: 'keyword', }, - 'googlecloud.destination.instance.zone': { - category: 'googlecloud', - description: 'Zone of the VM. ', - name: 'googlecloud.destination.instance.zone', + 'google_workspace.admin.email_dump.query': { + category: 'google_workspace', + description: 'The search query used for the dump.', + name: 'google_workspace.admin.email_dump.query', type: 'keyword', }, - 'googlecloud.destination.vpc.project_id': { - category: 'googlecloud', - description: 'ID of the project containing the VM. ', - name: 'googlecloud.destination.vpc.project_id', + 'google_workspace.admin.request.id': { + category: 'google_workspace', + description: 'The request ID.', + name: 'google_workspace.admin.request.id', type: 'keyword', }, - 'googlecloud.destination.vpc.vpc_name': { - category: 'googlecloud', - description: 'VPC on which the VM is operating. ', - name: 'googlecloud.destination.vpc.vpc_name', + 'google_workspace.admin.mobile.action.id': { + category: 'google_workspace', + description: "The mobile device action's ID.", + name: 'google_workspace.admin.mobile.action.id', type: 'keyword', }, - 'googlecloud.destination.vpc.subnetwork_name': { - category: 'googlecloud', - description: 'Subnetwork on which the VM is operating. ', - name: 'googlecloud.destination.vpc.subnetwork_name', + 'google_workspace.admin.mobile.action.type': { + category: 'google_workspace', + description: + "The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings ", + name: 'google_workspace.admin.mobile.action.type', type: 'keyword', }, - 'googlecloud.source.instance.project_id': { - category: 'googlecloud', - description: 'ID of the project containing the VM. ', - name: 'googlecloud.source.instance.project_id', + 'google_workspace.admin.mobile.certificate.name': { + category: 'google_workspace', + description: 'The mobile certificate common name.', + name: 'google_workspace.admin.mobile.certificate.name', type: 'keyword', }, - 'googlecloud.source.instance.region': { - category: 'googlecloud', - description: 'Region of the VM. ', - name: 'googlecloud.source.instance.region', + 'google_workspace.admin.mobile.company_owned_devices': { + category: 'google_workspace', + description: 'The number of devices a company owns.', + name: 'google_workspace.admin.mobile.company_owned_devices', + type: 'long', + }, + 'google_workspace.admin.distribution.entity.name': { + category: 'google_workspace', + description: + 'The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings ', + name: 'google_workspace.admin.distribution.entity.name', type: 'keyword', }, - 'googlecloud.source.instance.zone': { - category: 'googlecloud', - description: 'Zone of the VM. ', - name: 'googlecloud.source.instance.zone', + 'google_workspace.admin.distribution.entity.type': { + category: 'google_workspace', + description: + 'The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings ', + name: 'google_workspace.admin.distribution.entity.type', type: 'keyword', }, - 'googlecloud.source.vpc.project_id': { - category: 'googlecloud', - description: 'ID of the project containing the VM. ', - name: 'googlecloud.source.vpc.project_id', + 'google_workspace.drive.billable': { + category: 'google_workspace', + description: 'Whether this activity is billable.', + name: 'google_workspace.drive.billable', + type: 'boolean', + }, + 'google_workspace.drive.source_folder_id': { + category: 'google_workspace', + name: 'google_workspace.drive.source_folder_id', type: 'keyword', }, - 'googlecloud.source.vpc.vpc_name': { - category: 'googlecloud', - description: 'VPC on which the VM is operating. ', - name: 'googlecloud.source.vpc.vpc_name', + 'google_workspace.drive.source_folder_title': { + category: 'google_workspace', + name: 'google_workspace.drive.source_folder_title', type: 'keyword', }, - 'googlecloud.source.vpc.subnetwork_name': { - category: 'googlecloud', - description: 'Subnetwork on which the VM is operating. ', - name: 'googlecloud.source.vpc.subnetwork_name', + 'google_workspace.drive.destination_folder_id': { + category: 'google_workspace', + name: 'google_workspace.drive.destination_folder_id', type: 'keyword', }, - 'googlecloud.audit.type': { - category: 'googlecloud', - description: 'Type property. ', - name: 'googlecloud.audit.type', + 'google_workspace.drive.destination_folder_title': { + category: 'google_workspace', + name: 'google_workspace.drive.destination_folder_title', type: 'keyword', }, - 'googlecloud.audit.authentication_info.principal_email': { - category: 'googlecloud', - description: 'The email address of the authenticated user making the request. ', - name: 'googlecloud.audit.authentication_info.principal_email', + 'google_workspace.drive.file.id': { + category: 'google_workspace', + name: 'google_workspace.drive.file.id', type: 'keyword', }, - 'googlecloud.audit.authentication_info.authority_selector': { - category: 'googlecloud', + 'google_workspace.drive.file.type': { + category: 'google_workspace', description: - 'The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. ', - name: 'googlecloud.audit.authentication_info.authority_selector', + 'Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive ', + name: 'google_workspace.drive.file.type', type: 'keyword', }, - 'googlecloud.audit.authorization_info.permission': { - category: 'googlecloud', - description: 'The required IAM permission. ', - name: 'googlecloud.audit.authorization_info.permission', + 'google_workspace.drive.originating_app_id': { + category: 'google_workspace', + description: 'The Google Cloud Project ID of the application that performed the action. ', + name: 'google_workspace.drive.originating_app_id', type: 'keyword', }, - 'googlecloud.audit.authorization_info.granted': { - category: 'googlecloud', - description: 'Whether or not authorization for resource and permission was granted. ', - name: 'googlecloud.audit.authorization_info.granted', + 'google_workspace.drive.file.owner.email': { + category: 'google_workspace', + name: 'google_workspace.drive.file.owner.email', + type: 'keyword', + }, + 'google_workspace.drive.file.owner.is_shared_drive': { + category: 'google_workspace', + description: 'Boolean flag denoting whether owner is a shared drive. ', + name: 'google_workspace.drive.file.owner.is_shared_drive', type: 'boolean', }, - 'googlecloud.audit.authorization_info.resource_attributes.service': { - category: 'googlecloud', - description: 'The name of the service. ', - name: 'googlecloud.audit.authorization_info.resource_attributes.service', - type: 'keyword', + 'google_workspace.drive.primary_event': { + category: 'google_workspace', + description: + 'Whether this is a primary event. A single user action in Drive may generate several events. ', + name: 'google_workspace.drive.primary_event', + type: 'boolean', }, - 'googlecloud.audit.authorization_info.resource_attributes.name': { - category: 'googlecloud', - description: 'The name of the resource. ', - name: 'googlecloud.audit.authorization_info.resource_attributes.name', + 'google_workspace.drive.shared_drive_id': { + category: 'google_workspace', + description: + 'The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. ', + name: 'google_workspace.drive.shared_drive_id', type: 'keyword', }, - 'googlecloud.audit.authorization_info.resource_attributes.type': { - category: 'googlecloud', - description: 'The type of the resource. ', - name: 'googlecloud.audit.authorization_info.resource_attributes.type', + 'google_workspace.drive.visibility': { + category: 'google_workspace', + description: + 'Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive ', + name: 'google_workspace.drive.visibility', type: 'keyword', }, - 'googlecloud.audit.method_name': { - category: 'googlecloud', + 'google_workspace.drive.new_value': { + category: 'google_workspace', description: - "The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. ", - name: 'googlecloud.audit.method_name', + 'When a setting or property of the file changes, the new value for it will appear here. ', + name: 'google_workspace.drive.new_value', type: 'keyword', }, - 'googlecloud.audit.num_response_items': { - category: 'googlecloud', - description: 'The number of items returned from a List or Query API method, if applicable. ', - name: 'googlecloud.audit.num_response_items', - type: 'long', + 'google_workspace.drive.old_value': { + category: 'google_workspace', + description: + 'When a setting or property of the file changes, the old value for it will appear here. ', + name: 'google_workspace.drive.old_value', + type: 'keyword', }, - 'googlecloud.audit.request.proto_name': { - category: 'googlecloud', - description: 'Type property of the request. ', - name: 'googlecloud.audit.request.proto_name', + 'google_workspace.drive.sheets_import_range_recipient_doc': { + category: 'google_workspace', + description: 'Doc ID of the recipient of a sheets import range.', + name: 'google_workspace.drive.sheets_import_range_recipient_doc', type: 'keyword', }, - 'googlecloud.audit.request.filter': { - category: 'googlecloud', - description: 'Filter of the request. ', - name: 'googlecloud.audit.request.filter', + 'google_workspace.drive.old_visibility': { + category: 'google_workspace', + description: 'When visibility changes, this holds the old value. ', + name: 'google_workspace.drive.old_visibility', type: 'keyword', }, - 'googlecloud.audit.request.name': { - category: 'googlecloud', - description: 'Name of the request. ', - name: 'googlecloud.audit.request.name', + 'google_workspace.drive.visibility_change': { + category: 'google_workspace', + description: 'When visibility changes, this holds the new overall visibility of the file. ', + name: 'google_workspace.drive.visibility_change', type: 'keyword', }, - 'googlecloud.audit.request.resource_name': { - category: 'googlecloud', - description: 'Name of the request resource. ', - name: 'googlecloud.audit.request.resource_name', + 'google_workspace.drive.target_domain': { + category: 'google_workspace', + description: + 'The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. ', + name: 'google_workspace.drive.target_domain', type: 'keyword', }, - 'googlecloud.audit.request_metadata.caller_ip': { - category: 'googlecloud', - description: 'The IP address of the caller. ', - name: 'googlecloud.audit.request_metadata.caller_ip', - type: 'ip', + 'google_workspace.drive.added_role': { + category: 'google_workspace', + description: + 'Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive ', + name: 'google_workspace.drive.added_role', + type: 'keyword', }, - 'googlecloud.audit.request_metadata.caller_supplied_user_agent': { - category: 'googlecloud', + 'google_workspace.drive.membership_change_type': { + category: 'google_workspace', description: - 'The user agent of the caller. This information is not authenticated and should be treated accordingly. ', - name: 'googlecloud.audit.request_metadata.caller_supplied_user_agent', + 'Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive ', + name: 'google_workspace.drive.membership_change_type', type: 'keyword', }, - 'googlecloud.audit.response.proto_name': { - category: 'googlecloud', - description: 'Type property of the response. ', - name: 'googlecloud.audit.response.proto_name', + 'google_workspace.drive.shared_drive_settings_change_type': { + category: 'google_workspace', + description: + 'Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive ', + name: 'google_workspace.drive.shared_drive_settings_change_type', type: 'keyword', }, - 'googlecloud.audit.response.details.group': { - category: 'googlecloud', - description: 'The name of the group. ', - name: 'googlecloud.audit.response.details.group', + 'google_workspace.drive.removed_role': { + category: 'google_workspace', + description: + 'Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive ', + name: 'google_workspace.drive.removed_role', type: 'keyword', }, - 'googlecloud.audit.response.details.kind': { - category: 'googlecloud', - description: 'The kind of the response details. ', - name: 'googlecloud.audit.response.details.kind', + 'google_workspace.drive.target': { + category: 'google_workspace', + description: 'Target user or group.', + name: 'google_workspace.drive.target', type: 'keyword', }, - 'googlecloud.audit.response.details.name': { - category: 'googlecloud', - description: 'The name of the response details. ', - name: 'googlecloud.audit.response.details.name', + 'google_workspace.groups.acl_permission': { + category: 'google_workspace', + description: + 'Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups ', + name: 'google_workspace.groups.acl_permission', type: 'keyword', }, - 'googlecloud.audit.response.details.uid': { - category: 'googlecloud', - description: 'The uid of the response details. ', - name: 'googlecloud.audit.response.details.uid', + 'google_workspace.groups.email': { + category: 'google_workspace', + description: 'Group email. ', + name: 'google_workspace.groups.email', type: 'keyword', }, - 'googlecloud.audit.response.status': { - category: 'googlecloud', - description: 'Status of the response. ', - name: 'googlecloud.audit.response.status', + 'google_workspace.groups.member.email': { + category: 'google_workspace', + description: 'Member email. ', + name: 'google_workspace.groups.member.email', type: 'keyword', }, - 'googlecloud.audit.resource_name': { - category: 'googlecloud', + 'google_workspace.groups.member.role': { + category: 'google_workspace', description: - "The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. ", - name: 'googlecloud.audit.resource_name', + 'Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups ', + name: 'google_workspace.groups.member.role', type: 'keyword', }, - 'googlecloud.audit.resource_location.current_locations': { - category: 'googlecloud', - description: 'Current locations of the resource. ', - name: 'googlecloud.audit.resource_location.current_locations', + 'google_workspace.groups.setting': { + category: 'google_workspace', + description: + 'Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups ', + name: 'google_workspace.groups.setting', type: 'keyword', }, - 'googlecloud.audit.service_name': { - category: 'googlecloud', + 'google_workspace.groups.new_value': { + category: 'google_workspace', description: - 'The name of the API service performing the operation. For example, datastore.googleapis.com. ', - name: 'googlecloud.audit.service_name', + 'New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups ', + name: 'google_workspace.groups.new_value', type: 'keyword', }, - 'googlecloud.audit.status.code': { - category: 'googlecloud', - description: 'The status code, which should be an enum value of google.rpc.Code. ', - name: 'googlecloud.audit.status.code', - type: 'integer', - }, - 'googlecloud.audit.status.message': { - category: 'googlecloud', + 'google_workspace.groups.old_value': { + category: 'google_workspace', description: - 'A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. ', - name: 'googlecloud.audit.status.message', + 'Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups', + name: 'google_workspace.groups.old_value', type: 'keyword', }, - 'googlecloud.firewall.rule_details.priority': { - category: 'googlecloud', - description: 'The priority for the firewall rule.', - name: 'googlecloud.firewall.rule_details.priority', - type: 'long', + 'google_workspace.groups.value': { + category: 'google_workspace', + description: + 'Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups ', + name: 'google_workspace.groups.value', + type: 'keyword', }, - 'googlecloud.firewall.rule_details.action': { - category: 'googlecloud', - description: 'Action that the rule performs on match.', - name: 'googlecloud.firewall.rule_details.action', + 'google_workspace.groups.message.id': { + category: 'google_workspace', + description: 'SMTP message Id of an email message. Present for moderation events. ', + name: 'google_workspace.groups.message.id', type: 'keyword', }, - 'googlecloud.firewall.rule_details.direction': { - category: 'googlecloud', - description: 'Direction of traffic that matches this rule.', - name: 'googlecloud.firewall.rule_details.direction', + 'google_workspace.groups.message.moderation_action': { + category: 'google_workspace', + description: 'Message moderation action. Possible values are `approved` and `rejected`. ', + name: 'google_workspace.groups.message.moderation_action', type: 'keyword', }, - 'googlecloud.firewall.rule_details.reference': { - category: 'googlecloud', - description: 'Reference to the firewall rule.', - name: 'googlecloud.firewall.rule_details.reference', + 'google_workspace.groups.status': { + category: 'google_workspace', + description: + 'A status describing the output of an operation. Possible values are `failed` and `succeeded`. ', + name: 'google_workspace.groups.status', type: 'keyword', }, - 'googlecloud.firewall.rule_details.source_range': { - category: 'googlecloud', - description: 'List of source ranges that the firewall rule applies to.', - name: 'googlecloud.firewall.rule_details.source_range', + 'google_workspace.login.affected_email_address': { + category: 'google_workspace', + name: 'google_workspace.login.affected_email_address', type: 'keyword', }, - 'googlecloud.firewall.rule_details.destination_range': { - category: 'googlecloud', - description: 'List of destination ranges that the firewall applies to.', - name: 'googlecloud.firewall.rule_details.destination_range', + 'google_workspace.login.challenge_method': { + category: 'google_workspace', + description: + 'Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. ', + name: 'google_workspace.login.challenge_method', type: 'keyword', }, - 'googlecloud.firewall.rule_details.source_tag': { - category: 'googlecloud', - description: 'List of all the source tags that the firewall rule applies to. ', - name: 'googlecloud.firewall.rule_details.source_tag', + 'google_workspace.login.failure_type': { + category: 'google_workspace', + description: + 'Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. ', + name: 'google_workspace.login.failure_type', type: 'keyword', }, - 'googlecloud.firewall.rule_details.target_tag': { - category: 'googlecloud', - description: 'List of all the target tags that the firewall rule applies to. ', - name: 'googlecloud.firewall.rule_details.target_tag', + 'google_workspace.login.type': { + category: 'google_workspace', + description: + 'Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. ', + name: 'google_workspace.login.type', type: 'keyword', }, - 'googlecloud.firewall.rule_details.ip_port_info': { - category: 'googlecloud', - description: 'List of ip protocols and applicable port ranges for rules. ', - name: 'googlecloud.firewall.rule_details.ip_port_info', - type: 'array', + 'google_workspace.login.is_second_factor': { + category: 'google_workspace', + name: 'google_workspace.login.is_second_factor', + type: 'boolean', }, - 'googlecloud.firewall.rule_details.source_service_account': { - category: 'googlecloud', - description: 'List of all the source service accounts that the firewall rule applies to. ', - name: 'googlecloud.firewall.rule_details.source_service_account', + 'google_workspace.login.is_suspicious': { + category: 'google_workspace', + name: 'google_workspace.login.is_suspicious', + type: 'boolean', + }, + 'google_workspace.saml.application_name': { + category: 'google_workspace', + description: 'Saml SP application name. ', + name: 'google_workspace.saml.application_name', type: 'keyword', }, - 'googlecloud.firewall.rule_details.target_service_account': { - category: 'googlecloud', - description: 'List of all the target service accounts that the firewall rule applies to. ', - name: 'googlecloud.firewall.rule_details.target_service_account', + 'google_workspace.saml.failure_type': { + category: 'google_workspace', + description: + 'Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. ', + name: 'google_workspace.saml.failure_type', type: 'keyword', }, - 'googlecloud.vpcflow.reporter': { - category: 'googlecloud', - description: "The side which reported the flow. Can be either 'SRC' or 'DEST'. ", - name: 'googlecloud.vpcflow.reporter', + 'google_workspace.saml.initiated_by': { + category: 'google_workspace', + description: 'Requester of SAML authentication. ', + name: 'google_workspace.saml.initiated_by', type: 'keyword', }, - 'googlecloud.vpcflow.rtt.ms': { - category: 'googlecloud', - description: - 'Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. ', - name: 'googlecloud.vpcflow.rtt.ms', + 'google_workspace.saml.orgunit_path': { + category: 'google_workspace', + description: 'User orgunit. ', + name: 'google_workspace.saml.orgunit_path', + type: 'keyword', + }, + 'google_workspace.saml.status_code': { + category: 'google_workspace', + description: 'SAML status code. ', + name: 'google_workspace.saml.status_code', + type: 'long', + }, + 'google_workspace.saml.second_level_status_code': { + category: 'google_workspace', + description: 'SAML second level status code. ', + name: 'google_workspace.saml.second_level_status_code', type: 'long', }, 'gsuite.actor.type': { @@ -21893,6 +24886,582 @@ export const fieldsBeat: BeatFields = { name: 'iptables.ubiquiti.rule_set', type: 'keyword', }, + 'juniper.srx.reason': { + category: 'juniper', + description: 'reason ', + name: 'juniper.srx.reason', + type: 'keyword', + }, + 'juniper.srx.connection_tag': { + category: 'juniper', + description: 'connection tag ', + name: 'juniper.srx.connection_tag', + type: 'keyword', + }, + 'juniper.srx.service_name': { + category: 'juniper', + description: 'service name ', + name: 'juniper.srx.service_name', + type: 'keyword', + }, + 'juniper.srx.nat_connection_tag': { + category: 'juniper', + description: 'nat connection tag ', + name: 'juniper.srx.nat_connection_tag', + type: 'keyword', + }, + 'juniper.srx.src_nat_rule_type': { + category: 'juniper', + description: 'src nat rule type ', + name: 'juniper.srx.src_nat_rule_type', + type: 'keyword', + }, + 'juniper.srx.src_nat_rule_name': { + category: 'juniper', + description: 'src nat rule name ', + name: 'juniper.srx.src_nat_rule_name', + type: 'keyword', + }, + 'juniper.srx.dst_nat_rule_type': { + category: 'juniper', + description: 'dst nat rule type ', + name: 'juniper.srx.dst_nat_rule_type', + type: 'keyword', + }, + 'juniper.srx.dst_nat_rule_name': { + category: 'juniper', + description: 'dst nat rule name ', + name: 'juniper.srx.dst_nat_rule_name', + type: 'keyword', + }, + 'juniper.srx.protocol_id': { + category: 'juniper', + description: 'protocol id ', + name: 'juniper.srx.protocol_id', + type: 'keyword', + }, + 'juniper.srx.policy_name': { + category: 'juniper', + description: 'policy name ', + name: 'juniper.srx.policy_name', + type: 'keyword', + }, + 'juniper.srx.session_id_32': { + category: 'juniper', + description: 'session id 32 ', + name: 'juniper.srx.session_id_32', + type: 'keyword', + }, + 'juniper.srx.session_id': { + category: 'juniper', + description: 'session id ', + name: 'juniper.srx.session_id', + type: 'keyword', + }, + 'juniper.srx.outbound_packets': { + category: 'juniper', + description: 'packets from client ', + name: 'juniper.srx.outbound_packets', + type: 'integer', + }, + 'juniper.srx.outbound_bytes': { + category: 'juniper', + description: 'bytes from client ', + name: 'juniper.srx.outbound_bytes', + type: 'integer', + }, + 'juniper.srx.inbound_packets': { + category: 'juniper', + description: 'packets from server ', + name: 'juniper.srx.inbound_packets', + type: 'integer', + }, + 'juniper.srx.inbound_bytes': { + category: 'juniper', + description: 'bytes from server ', + name: 'juniper.srx.inbound_bytes', + type: 'integer', + }, + 'juniper.srx.elapsed_time': { + category: 'juniper', + description: 'elapsed time ', + name: 'juniper.srx.elapsed_time', + type: 'date', + }, + 'juniper.srx.application': { + category: 'juniper', + description: 'application ', + name: 'juniper.srx.application', + type: 'keyword', + }, + 'juniper.srx.nested_application': { + category: 'juniper', + description: 'nested application ', + name: 'juniper.srx.nested_application', + type: 'keyword', + }, + 'juniper.srx.username': { + category: 'juniper', + description: 'username ', + name: 'juniper.srx.username', + type: 'keyword', + }, + 'juniper.srx.roles': { + category: 'juniper', + description: 'roles ', + name: 'juniper.srx.roles', + type: 'keyword', + }, + 'juniper.srx.encrypted': { + category: 'juniper', + description: 'encrypted ', + name: 'juniper.srx.encrypted', + type: 'keyword', + }, + 'juniper.srx.application_category': { + category: 'juniper', + description: 'application category ', + name: 'juniper.srx.application_category', + type: 'keyword', + }, + 'juniper.srx.application_sub_category': { + category: 'juniper', + description: 'application sub category ', + name: 'juniper.srx.application_sub_category', + type: 'keyword', + }, + 'juniper.srx.application_characteristics': { + category: 'juniper', + description: 'application characteristics ', + name: 'juniper.srx.application_characteristics', + type: 'keyword', + }, + 'juniper.srx.secure_web_proxy_session_type': { + category: 'juniper', + description: 'secure web proxy session type ', + name: 'juniper.srx.secure_web_proxy_session_type', + type: 'keyword', + }, + 'juniper.srx.peer_session_id': { + category: 'juniper', + description: 'peer session id ', + name: 'juniper.srx.peer_session_id', + type: 'keyword', + }, + 'juniper.srx.peer_source_address': { + category: 'juniper', + description: 'peer source address ', + name: 'juniper.srx.peer_source_address', + type: 'ip', + }, + 'juniper.srx.peer_source_port': { + category: 'juniper', + description: 'peer source port ', + name: 'juniper.srx.peer_source_port', + type: 'integer', + }, + 'juniper.srx.peer_destination_address': { + category: 'juniper', + description: 'peer destination address ', + name: 'juniper.srx.peer_destination_address', + type: 'ip', + }, + 'juniper.srx.peer_destination_port': { + category: 'juniper', + description: 'peer destination port ', + name: 'juniper.srx.peer_destination_port', + type: 'integer', + }, + 'juniper.srx.hostname': { + category: 'juniper', + description: 'hostname ', + name: 'juniper.srx.hostname', + type: 'keyword', + }, + 'juniper.srx.src_vrf_grp': { + category: 'juniper', + description: 'src_vrf_grp ', + name: 'juniper.srx.src_vrf_grp', + type: 'keyword', + }, + 'juniper.srx.dst_vrf_grp': { + category: 'juniper', + description: 'dst_vrf_grp ', + name: 'juniper.srx.dst_vrf_grp', + type: 'keyword', + }, + 'juniper.srx.icmp_type': { + category: 'juniper', + description: 'icmp type ', + name: 'juniper.srx.icmp_type', + type: 'integer', + }, + 'juniper.srx.process': { + category: 'juniper', + description: 'process that generated the message ', + name: 'juniper.srx.process', + type: 'keyword', + }, + 'juniper.srx.apbr_rule_type': { + category: 'juniper', + description: 'apbr rule type ', + name: 'juniper.srx.apbr_rule_type', + type: 'keyword', + }, + 'juniper.srx.dscp_value': { + category: 'juniper', + description: 'apbr rule type ', + name: 'juniper.srx.dscp_value', + type: 'integer', + }, + 'juniper.srx.logical_system_name': { + category: 'juniper', + description: 'logical system name ', + name: 'juniper.srx.logical_system_name', + type: 'keyword', + }, + 'juniper.srx.profile_name': { + category: 'juniper', + description: 'profile name ', + name: 'juniper.srx.profile_name', + type: 'keyword', + }, + 'juniper.srx.routing_instance': { + category: 'juniper', + description: 'routing instance ', + name: 'juniper.srx.routing_instance', + type: 'keyword', + }, + 'juniper.srx.rule_name': { + category: 'juniper', + description: 'rule name ', + name: 'juniper.srx.rule_name', + type: 'keyword', + }, + 'juniper.srx.uplink_tx_bytes': { + category: 'juniper', + description: 'uplink tx bytes ', + name: 'juniper.srx.uplink_tx_bytes', + type: 'integer', + }, + 'juniper.srx.uplink_rx_bytes': { + category: 'juniper', + description: 'uplink rx bytes ', + name: 'juniper.srx.uplink_rx_bytes', + type: 'integer', + }, + 'juniper.srx.obj': { + category: 'juniper', + description: 'url path ', + name: 'juniper.srx.obj', + type: 'keyword', + }, + 'juniper.srx.url': { + category: 'juniper', + description: 'url domain ', + name: 'juniper.srx.url', + type: 'keyword', + }, + 'juniper.srx.profile': { + category: 'juniper', + description: 'filter profile ', + name: 'juniper.srx.profile', + type: 'keyword', + }, + 'juniper.srx.category': { + category: 'juniper', + description: 'filter category ', + name: 'juniper.srx.category', + type: 'keyword', + }, + 'juniper.srx.filename': { + category: 'juniper', + description: 'filename ', + name: 'juniper.srx.filename', + type: 'keyword', + }, + 'juniper.srx.temporary_filename': { + category: 'juniper', + description: 'temporary_filename ', + name: 'juniper.srx.temporary_filename', + type: 'keyword', + }, + 'juniper.srx.name': { + category: 'juniper', + description: 'name ', + name: 'juniper.srx.name', + type: 'keyword', + }, + 'juniper.srx.error_message': { + category: 'juniper', + description: 'error_message ', + name: 'juniper.srx.error_message', + type: 'keyword', + }, + 'juniper.srx.error_code': { + category: 'juniper', + description: 'error_code ', + name: 'juniper.srx.error_code', + type: 'keyword', + }, + 'juniper.srx.action': { + category: 'juniper', + description: 'action ', + name: 'juniper.srx.action', + type: 'keyword', + }, + 'juniper.srx.protocol': { + category: 'juniper', + description: 'protocol ', + name: 'juniper.srx.protocol', + type: 'keyword', + }, + 'juniper.srx.protocol_name': { + category: 'juniper', + description: 'protocol name ', + name: 'juniper.srx.protocol_name', + type: 'keyword', + }, + 'juniper.srx.type': { + category: 'juniper', + description: 'type ', + name: 'juniper.srx.type', + type: 'keyword', + }, + 'juniper.srx.repeat_count': { + category: 'juniper', + description: 'repeat count ', + name: 'juniper.srx.repeat_count', + type: 'integer', + }, + 'juniper.srx.alert': { + category: 'juniper', + description: 'repeat alert ', + name: 'juniper.srx.alert', + type: 'keyword', + }, + 'juniper.srx.message_type': { + category: 'juniper', + description: 'message type ', + name: 'juniper.srx.message_type', + type: 'keyword', + }, + 'juniper.srx.threat_severity': { + category: 'juniper', + description: 'threat severity ', + name: 'juniper.srx.threat_severity', + type: 'keyword', + }, + 'juniper.srx.application_name': { + category: 'juniper', + description: 'application name ', + name: 'juniper.srx.application_name', + type: 'keyword', + }, + 'juniper.srx.attack_name': { + category: 'juniper', + description: 'attack name ', + name: 'juniper.srx.attack_name', + type: 'keyword', + }, + 'juniper.srx.index': { + category: 'juniper', + description: 'index ', + name: 'juniper.srx.index', + type: 'keyword', + }, + 'juniper.srx.message': { + category: 'juniper', + description: 'mesagge ', + name: 'juniper.srx.message', + type: 'keyword', + }, + 'juniper.srx.epoch_time': { + category: 'juniper', + description: 'epoch time ', + name: 'juniper.srx.epoch_time', + type: 'date', + }, + 'juniper.srx.packet_log_id': { + category: 'juniper', + description: 'packet log id ', + name: 'juniper.srx.packet_log_id', + type: 'integer', + }, + 'juniper.srx.export_id': { + category: 'juniper', + description: 'packet log id ', + name: 'juniper.srx.export_id', + type: 'integer', + }, + 'juniper.srx.ddos_application_name': { + category: 'juniper', + description: 'ddos application name ', + name: 'juniper.srx.ddos_application_name', + type: 'keyword', + }, + 'juniper.srx.connection_hit_rate': { + category: 'juniper', + description: 'connection hit rate ', + name: 'juniper.srx.connection_hit_rate', + type: 'integer', + }, + 'juniper.srx.time_scope': { + category: 'juniper', + description: 'time scope ', + name: 'juniper.srx.time_scope', + type: 'keyword', + }, + 'juniper.srx.context_hit_rate': { + category: 'juniper', + description: 'context hit rate ', + name: 'juniper.srx.context_hit_rate', + type: 'integer', + }, + 'juniper.srx.context_value_hit_rate': { + category: 'juniper', + description: 'context value hit rate ', + name: 'juniper.srx.context_value_hit_rate', + type: 'integer', + }, + 'juniper.srx.time_count': { + category: 'juniper', + description: 'time count ', + name: 'juniper.srx.time_count', + type: 'integer', + }, + 'juniper.srx.time_period': { + category: 'juniper', + description: 'time period ', + name: 'juniper.srx.time_period', + type: 'integer', + }, + 'juniper.srx.context_value': { + category: 'juniper', + description: 'context value ', + name: 'juniper.srx.context_value', + type: 'keyword', + }, + 'juniper.srx.context_name': { + category: 'juniper', + description: 'context name ', + name: 'juniper.srx.context_name', + type: 'keyword', + }, + 'juniper.srx.ruleebase_name': { + category: 'juniper', + description: 'ruleebase name ', + name: 'juniper.srx.ruleebase_name', + type: 'keyword', + }, + 'juniper.srx.verdict_source': { + category: 'juniper', + description: 'verdict source ', + name: 'juniper.srx.verdict_source', + type: 'keyword', + }, + 'juniper.srx.verdict_number': { + category: 'juniper', + description: 'verdict number ', + name: 'juniper.srx.verdict_number', + type: 'integer', + }, + 'juniper.srx.file_category': { + category: 'juniper', + description: 'file category ', + name: 'juniper.srx.file_category', + type: 'keyword', + }, + 'juniper.srx.sample_sha256': { + category: 'juniper', + description: 'sample sha256 ', + name: 'juniper.srx.sample_sha256', + type: 'keyword', + }, + 'juniper.srx.malware_info': { + category: 'juniper', + description: 'malware info ', + name: 'juniper.srx.malware_info', + type: 'keyword', + }, + 'juniper.srx.client_ip': { + category: 'juniper', + description: 'client ip ', + name: 'juniper.srx.client_ip', + type: 'ip', + }, + 'juniper.srx.tenant_id': { + category: 'juniper', + description: 'tenant id ', + name: 'juniper.srx.tenant_id', + type: 'keyword', + }, + 'juniper.srx.timestamp': { + category: 'juniper', + description: 'timestamp ', + name: 'juniper.srx.timestamp', + type: 'date', + }, + 'juniper.srx.th': { + category: 'juniper', + description: 'th ', + name: 'juniper.srx.th', + type: 'keyword', + }, + 'juniper.srx.status': { + category: 'juniper', + description: 'status ', + name: 'juniper.srx.status', + type: 'keyword', + }, + 'juniper.srx.state': { + category: 'juniper', + description: 'state ', + name: 'juniper.srx.state', + type: 'keyword', + }, + 'juniper.srx.file_hash_lookup': { + category: 'juniper', + description: 'file hash lookup ', + name: 'juniper.srx.file_hash_lookup', + type: 'keyword', + }, + 'juniper.srx.file_name': { + category: 'juniper', + description: 'file name ', + name: 'juniper.srx.file_name', + type: 'keyword', + }, + 'juniper.srx.action_detail': { + category: 'juniper', + description: 'action detail ', + name: 'juniper.srx.action_detail', + type: 'keyword', + }, + 'juniper.srx.sub_category': { + category: 'juniper', + description: 'sub category ', + name: 'juniper.srx.sub_category', + type: 'keyword', + }, + 'juniper.srx.feed_name': { + category: 'juniper', + description: 'feed name ', + name: 'juniper.srx.feed_name', + type: 'keyword', + }, + 'juniper.srx.occur_count': { + category: 'juniper', + description: 'occur count ', + name: 'juniper.srx.occur_count', + type: 'integer', + }, + 'juniper.srx.tag': { + category: 'juniper', + description: 'system log message tag, which uniquely identifies the message. ', + name: 'juniper.srx.tag', + type: 'keyword', + }, 'microsoft.defender_atp.lastUpdateTime': { category: 'microsoft', description: 'The date and time (in UTC) the alert was last updated. ', @@ -21998,6 +25567,267 @@ export const fieldsBeat: BeatFields = { name: 'microsoft.defender_atp.evidence.userPrincipalName', type: 'keyword', }, + 'microsoft.m365_defender.incidentId': { + category: 'microsoft', + description: 'Unique identifier to represent the incident. ', + name: 'microsoft.m365_defender.incidentId', + type: 'keyword', + }, + 'microsoft.m365_defender.redirectIncidentId': { + category: 'microsoft', + description: + 'Only populated in case an incident is being grouped together with another incident, as part of the incident processing logic. ', + name: 'microsoft.m365_defender.redirectIncidentId', + type: 'keyword', + }, + 'microsoft.m365_defender.incidentName': { + category: 'microsoft', + description: 'Name of the Incident. ', + name: 'microsoft.m365_defender.incidentName', + type: 'keyword', + }, + 'microsoft.m365_defender.determination': { + category: 'microsoft', + description: + 'Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other. ', + name: 'microsoft.m365_defender.determination', + type: 'keyword', + }, + 'microsoft.m365_defender.investigationState': { + category: 'microsoft', + description: 'The current state of the Investigation. ', + name: 'microsoft.m365_defender.investigationState', + type: 'keyword', + }, + 'microsoft.m365_defender.assignedTo': { + category: 'microsoft', + description: 'Owner of the alert. ', + name: 'microsoft.m365_defender.assignedTo', + type: 'keyword', + }, + 'microsoft.m365_defender.tags': { + category: 'microsoft', + description: + 'Array of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic. ', + name: 'microsoft.m365_defender.tags', + type: 'keyword', + }, + 'microsoft.m365_defender.status': { + category: 'microsoft', + description: + "Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. ", + name: 'microsoft.m365_defender.status', + type: 'keyword', + }, + 'microsoft.m365_defender.classification': { + category: 'microsoft', + description: + "Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. ", + name: 'microsoft.m365_defender.classification', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.incidentId': { + category: 'microsoft', + description: 'Unique identifier to represent the incident this alert is associated with. ', + name: 'microsoft.m365_defender.alerts.incidentId', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.resolvedTime': { + category: 'microsoft', + description: 'Time when alert was resolved. ', + name: 'microsoft.m365_defender.alerts.resolvedTime', + type: 'date', + }, + 'microsoft.m365_defender.alerts.status': { + category: 'microsoft', + description: 'Categorize alerts (as New, Active, or Resolved). ', + name: 'microsoft.m365_defender.alerts.status', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.severity': { + category: 'microsoft', + description: 'The severity of the related alert. ', + name: 'microsoft.m365_defender.alerts.severity', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.creationTime': { + category: 'microsoft', + description: 'Time when alert was first created. ', + name: 'microsoft.m365_defender.alerts.creationTime', + type: 'date', + }, + 'microsoft.m365_defender.alerts.lastUpdatedTime': { + category: 'microsoft', + description: 'Time when alert was last updated. ', + name: 'microsoft.m365_defender.alerts.lastUpdatedTime', + type: 'date', + }, + 'microsoft.m365_defender.alerts.investigationId': { + category: 'microsoft', + description: 'The automated investigation id triggered by this alert. ', + name: 'microsoft.m365_defender.alerts.investigationId', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.userSid': { + category: 'microsoft', + description: 'The SID of the related user ', + name: 'microsoft.m365_defender.alerts.userSid', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.detectionSource': { + category: 'microsoft', + description: 'The service that initially detected the threat. ', + name: 'microsoft.m365_defender.alerts.detectionSource', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.classification': { + category: 'microsoft', + description: + 'The specification for the incident. The property values are: Unknown, FalsePositive, TruePositive or null. ', + name: 'microsoft.m365_defender.alerts.classification', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.investigationState': { + category: 'microsoft', + description: "Information on the investigation's current status. ", + name: 'microsoft.m365_defender.alerts.investigationState', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.determination': { + category: 'microsoft', + description: + 'Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other or null ', + name: 'microsoft.m365_defender.alerts.determination', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.assignedTo': { + category: 'microsoft', + description: 'Owner of the incident, or null if no owner is assigned. ', + name: 'microsoft.m365_defender.alerts.assignedTo', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.actorName': { + category: 'microsoft', + description: 'The activity group, if any, the associated with this alert. ', + name: 'microsoft.m365_defender.alerts.actorName', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.threatFamilyName': { + category: 'microsoft', + description: 'Threat family associated with this alert. ', + name: 'microsoft.m365_defender.alerts.threatFamilyName', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.mitreTechniques': { + category: 'microsoft', + description: 'The attack techniques, as aligned with the MITRE ATT&CK™ framework. ', + name: 'microsoft.m365_defender.alerts.mitreTechniques', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.entities.entityType': { + category: 'microsoft', + description: + 'Entities that have been identified to be part of, or related to, a given alert. The properties values are: User, Ip, Url, File, Process, MailBox, MailMessage, MailCluster, Registry. ', + name: 'microsoft.m365_defender.alerts.entities.entityType', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.entities.accountName': { + category: 'microsoft', + description: 'Account name of the related user. ', + name: 'microsoft.m365_defender.alerts.entities.accountName', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.entities.mailboxDisplayName': { + category: 'microsoft', + description: 'The display name of the related mailbox. ', + name: 'microsoft.m365_defender.alerts.entities.mailboxDisplayName', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.entities.mailboxAddress': { + category: 'microsoft', + description: 'The mail address of the related mailbox. ', + name: 'microsoft.m365_defender.alerts.entities.mailboxAddress', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.entities.clusterBy': { + category: 'microsoft', + description: 'A list of metadata if the entityType is MailCluster. ', + name: 'microsoft.m365_defender.alerts.entities.clusterBy', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.entities.sender': { + category: 'microsoft', + description: 'The sender for the related email message. ', + name: 'microsoft.m365_defender.alerts.entities.sender', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.entities.recipient': { + category: 'microsoft', + description: 'The recipient for the related email message. ', + name: 'microsoft.m365_defender.alerts.entities.recipient', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.entities.subject': { + category: 'microsoft', + description: 'The subject for the related email message. ', + name: 'microsoft.m365_defender.alerts.entities.subject', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.entities.deliveryAction': { + category: 'microsoft', + description: 'The delivery status for the related email message. ', + name: 'microsoft.m365_defender.alerts.entities.deliveryAction', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.entities.securityGroupId': { + category: 'microsoft', + description: 'The Security Group ID for the user related to the email message. ', + name: 'microsoft.m365_defender.alerts.entities.securityGroupId', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.entities.securityGroupName': { + category: 'microsoft', + description: 'The Security Group Name for the user related to the email message. ', + name: 'microsoft.m365_defender.alerts.entities.securityGroupName', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.entities.registryHive': { + category: 'microsoft', + description: + 'Reference to which Hive in registry the event is related to, if eventType is registry. Example: HKEY_LOCAL_MACHINE. ', + name: 'microsoft.m365_defender.alerts.entities.registryHive', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.entities.registryKey': { + category: 'microsoft', + description: 'Reference to the related registry key to the event. ', + name: 'microsoft.m365_defender.alerts.entities.registryKey', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.entities.registryValueType': { + category: 'microsoft', + description: 'Value type of the registry key/value pair related to the event. ', + name: 'microsoft.m365_defender.alerts.entities.registryValueType', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.entities.deviceId': { + category: 'microsoft', + description: 'The unique ID of the device related to the event. ', + name: 'microsoft.m365_defender.alerts.entities.deviceId', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.entities.ipAddress': { + category: 'microsoft', + description: 'The related IP address to the event. ', + name: 'microsoft.m365_defender.alerts.entities.ipAddress', + type: 'keyword', + }, + 'microsoft.m365_defender.alerts.devices': { + category: 'microsoft', + description: 'The devices related to the investigation. ', + name: 'microsoft.m365_defender.alerts.devices', + type: 'flattened', + }, 'misp.attack_pattern.id': { category: 'misp', description: 'Identifier of the threat indicator. ', @@ -22592,6 +26422,166 @@ export const fieldsBeat: BeatFields = { name: 'mssql.log.origin', type: 'keyword', }, + 'mysqlenterprise.audit.class': { + category: 'mysqlenterprise', + description: + 'A string representing the event class. The class defines the type of event, when taken together with the event item that specifies the event subclass. ', + name: 'mysqlenterprise.audit.class', + type: 'keyword', + }, + 'mysqlenterprise.audit.connection_id': { + category: 'mysqlenterprise', + description: + 'An integer representing the client connection identifier. This is the same as the value returned by the CONNECTION_ID() function within the session. ', + name: 'mysqlenterprise.audit.connection_id', + type: 'keyword', + }, + 'mysqlenterprise.audit.id': { + category: 'mysqlenterprise', + description: 'An unsigned integer representing an event ID. ', + name: 'mysqlenterprise.audit.id', + type: 'keyword', + }, + 'mysqlenterprise.audit.connection_data.connection_type': { + category: 'mysqlenterprise', + description: + 'The security state of the connection to the server. Permitted values are tcp/ip (TCP/IP connection established without encryption), ssl (TCP/IP connection established with encryption), socket (Unix socket file connection), named_pipe (Windows named pipe connection), and shared_memory (Windows shared memory connection). ', + name: 'mysqlenterprise.audit.connection_data.connection_type', + type: 'keyword', + }, + 'mysqlenterprise.audit.connection_data.status': { + category: 'mysqlenterprise', + description: + 'An integer representing the command status: 0 for success, nonzero if an error occurred. ', + name: 'mysqlenterprise.audit.connection_data.status', + type: 'long', + }, + 'mysqlenterprise.audit.connection_data.db': { + category: 'mysqlenterprise', + description: + 'A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database. ', + name: 'mysqlenterprise.audit.connection_data.db', + type: 'keyword', + }, + 'mysqlenterprise.audit.connection_data.connection_attributes': { + category: 'mysqlenterprise', + description: 'Connection attributes that might be passed by different MySQL Clients. ', + name: 'mysqlenterprise.audit.connection_data.connection_attributes', + type: 'flattened', + }, + 'mysqlenterprise.audit.general_data.command': { + category: 'mysqlenterprise', + description: + 'A string representing the type of instruction that generated the audit event, such as a command that the server received from a client. ', + name: 'mysqlenterprise.audit.general_data.command', + type: 'keyword', + }, + 'mysqlenterprise.audit.general_data.sql_command': { + category: 'mysqlenterprise', + description: 'A string that indicates the SQL statement type. ', + name: 'mysqlenterprise.audit.general_data.sql_command', + type: 'keyword', + }, + 'mysqlenterprise.audit.general_data.query': { + category: 'mysqlenterprise', + description: + 'A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion. ', + name: 'mysqlenterprise.audit.general_data.query', + type: 'keyword', + }, + 'mysqlenterprise.audit.general_data.status': { + category: 'mysqlenterprise', + description: + 'An integer representing the command status: 0 for success, nonzero if an error occurred. This is the same as the value of the mysql_errno() C API function. ', + name: 'mysqlenterprise.audit.general_data.status', + type: 'long', + }, + 'mysqlenterprise.audit.login.user': { + category: 'mysqlenterprise', + description: + 'A string representing the information indicating how a client connected to the server. ', + name: 'mysqlenterprise.audit.login.user', + type: 'keyword', + }, + 'mysqlenterprise.audit.login.proxy': { + category: 'mysqlenterprise', + description: + 'A string representing the proxy user. The value is empty if user proxying is not in effect. ', + name: 'mysqlenterprise.audit.login.proxy', + type: 'keyword', + }, + 'mysqlenterprise.audit.shutdown_data.server_id': { + category: 'mysqlenterprise', + description: + 'An integer representing the server ID. This is the same as the value of the server_id system variable. ', + name: 'mysqlenterprise.audit.shutdown_data.server_id', + type: 'keyword', + }, + 'mysqlenterprise.audit.startup_data.server_id': { + category: 'mysqlenterprise', + description: + 'An integer representing the server ID. This is the same as the value of the server_id system variable. ', + name: 'mysqlenterprise.audit.startup_data.server_id', + type: 'keyword', + }, + 'mysqlenterprise.audit.startup_data.mysql_version': { + category: 'mysqlenterprise', + description: + 'An integer representing the server ID. This is the same as the value of the server_id system variable. ', + name: 'mysqlenterprise.audit.startup_data.mysql_version', + type: 'keyword', + }, + 'mysqlenterprise.audit.table_access_data.db': { + category: 'mysqlenterprise', + description: + 'A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database. ', + name: 'mysqlenterprise.audit.table_access_data.db', + type: 'keyword', + }, + 'mysqlenterprise.audit.table_access_data.table': { + category: 'mysqlenterprise', + description: 'A string representing a table name. ', + name: 'mysqlenterprise.audit.table_access_data.table', + type: 'keyword', + }, + 'mysqlenterprise.audit.table_access_data.query': { + category: 'mysqlenterprise', + description: + 'A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion. ', + name: 'mysqlenterprise.audit.table_access_data.query', + type: 'keyword', + }, + 'mysqlenterprise.audit.table_access_data.sql_command': { + category: 'mysqlenterprise', + description: 'A string that indicates the SQL statement type. ', + name: 'mysqlenterprise.audit.table_access_data.sql_command', + type: 'keyword', + }, + 'mysqlenterprise.audit.account.user': { + category: 'mysqlenterprise', + description: + 'A string representing the user that the server authenticated the client as. This is the user name that the server uses for privilege checking. ', + name: 'mysqlenterprise.audit.account.user', + type: 'keyword', + }, + 'mysqlenterprise.audit.account.host': { + category: 'mysqlenterprise', + description: 'A string representing the client host name. ', + name: 'mysqlenterprise.audit.account.host', + type: 'keyword', + }, + 'mysqlenterprise.audit.login.os': { + category: 'mysqlenterprise', + description: + 'A string representing the external user name used during the authentication process, as set by the plugin used to authenticate the client. ', + name: 'mysqlenterprise.audit.login.os', + type: 'keyword', + }, + 'o365.audit.AADGroupId': { + category: 'o365', + name: 'o365.audit.AADGroupId', + type: 'keyword', + }, 'o365.audit.Actor.ID': { category: 'o365', name: 'o365.audit.Actor.ID', @@ -22697,6 +26687,11 @@ export const fieldsBeat: BeatFields = { name: 'o365.audit.Comments', type: 'text', }, + 'o365.audit.CommunicationType': { + category: 'o365', + name: 'o365.audit.CommunicationType', + type: 'keyword', + }, 'o365.audit.CorrelationId': { category: 'o365', name: 'o365.audit.CorrelationId', @@ -22722,11 +26717,21 @@ export const fieldsBeat: BeatFields = { name: 'o365.audit.DataType', type: 'keyword', }, + 'o365.audit.DoNotDistributeEvent': { + category: 'o365', + name: 'o365.audit.DoNotDistributeEvent', + type: 'boolean', + }, 'o365.audit.EntityType': { category: 'o365', name: 'o365.audit.EntityType', type: 'keyword', }, + 'o365.audit.ErrorNumber': { + category: 'o365', + name: 'o365.audit.ErrorNumber', + type: 'keyword', + }, 'o365.audit.EventData': { category: 'o365', name: 'o365.audit.EventData', @@ -22752,6 +26757,11 @@ export const fieldsBeat: BeatFields = { name: 'o365.audit.ExternalAccess', type: 'keyword', }, + 'o365.audit.FromApp': { + category: 'o365', + name: 'o365.audit.FromApp', + type: 'boolean', + }, 'o365.audit.GroupName': { category: 'o365', name: 'o365.audit.GroupName', @@ -22787,6 +26797,11 @@ export const fieldsBeat: BeatFields = { name: 'o365.audit.IntraSystemId', type: 'keyword', }, + 'o365.audit.IsDocLib': { + category: 'o365', + name: 'o365.audit.IsDocLib', + type: 'boolean', + }, 'o365.audit.Item.*': { category: 'o365', name: 'o365.audit.Item.*', @@ -22797,6 +26812,11 @@ export const fieldsBeat: BeatFields = { name: 'o365.audit.Item.*.*', type: 'object', }, + 'o365.audit.ItemCount': { + category: 'o365', + name: 'o365.audit.ItemCount', + type: 'long', + }, 'o365.audit.ItemName': { category: 'o365', name: 'o365.audit.ItemName', @@ -22807,11 +26827,36 @@ export const fieldsBeat: BeatFields = { name: 'o365.audit.ItemType', type: 'keyword', }, + 'o365.audit.ListBaseTemplateType': { + category: 'o365', + name: 'o365.audit.ListBaseTemplateType', + type: 'keyword', + }, + 'o365.audit.ListBaseType': { + category: 'o365', + name: 'o365.audit.ListBaseType', + type: 'keyword', + }, + 'o365.audit.ListColor': { + category: 'o365', + name: 'o365.audit.ListColor', + type: 'keyword', + }, + 'o365.audit.ListIcon': { + category: 'o365', + name: 'o365.audit.ListIcon', + type: 'keyword', + }, 'o365.audit.ListId': { category: 'o365', name: 'o365.audit.ListId', type: 'keyword', }, + 'o365.audit.ListTitle': { + category: 'o365', + name: 'o365.audit.ListTitle', + type: 'keyword', + }, 'o365.audit.ListItemUniqueId': { category: 'o365', name: 'o365.audit.ListItemUniqueId', @@ -23017,6 +27062,11 @@ export const fieldsBeat: BeatFields = { name: 'o365.audit.TeamGuid', type: 'keyword', }, + 'o365.audit.TemplateTypeId': { + category: 'o365', + name: 'o365.audit.TemplateTypeId', + type: 'keyword', + }, 'o365.audit.UniqueSharingId': { category: 'o365', name: 'o365.audit.UniqueSharingId', @@ -23366,6 +27416,89 @@ export const fieldsBeat: BeatFields = { name: 'okta.request.ip_chain.geographical_context.geolocation', type: 'geo_point', }, + 'oracle.database_audit.status': { + category: 'oracle', + description: 'Database Audit Status. ', + name: 'oracle.database_audit.status', + type: 'keyword', + }, + 'oracle.database_audit.session_id': { + category: 'oracle', + description: 'Indicates the audit session ID number. ', + name: 'oracle.database_audit.session_id', + type: 'keyword', + }, + 'oracle.database_audit.client.terminal': { + category: 'oracle', + description: 'If available, the client terminal type, for example "pty". ', + name: 'oracle.database_audit.client.terminal', + type: 'keyword', + }, + 'oracle.database_audit.client.address': { + category: 'oracle', + description: 'The IP Address or Domain used by the client. ', + name: 'oracle.database_audit.client.address', + type: 'keyword', + }, + 'oracle.database_audit.client.user': { + category: 'oracle', + description: 'The user running the client or connection to the database. ', + name: 'oracle.database_audit.client.user', + type: 'keyword', + }, + 'oracle.database_audit.database.user': { + category: 'oracle', + description: 'The database user used to authenticate. ', + name: 'oracle.database_audit.database.user', + type: 'keyword', + }, + 'oracle.database_audit.privilege': { + category: 'oracle', + description: 'The privilege group related to the database user. ', + name: 'oracle.database_audit.privilege', + type: 'keyword', + }, + 'oracle.database_audit.entry.id': { + category: 'oracle', + description: + 'Indicates the current audit entry number, assigned to each audit trail record. The audit entry.id sequence number is shared between fine-grained audit records and regular audit records. ', + name: 'oracle.database_audit.entry.id', + type: 'keyword', + }, + 'oracle.database_audit.database.host': { + category: 'oracle', + description: 'Client host machine name. ', + name: 'oracle.database_audit.database.host', + type: 'keyword', + }, + 'oracle.database_audit.action': { + category: 'oracle', + description: + 'The action performed during the audit event. This could for example be the raw query. ', + name: 'oracle.database_audit.action', + type: 'keyword', + }, + 'oracle.database_audit.action_number': { + category: 'oracle', + description: + 'Action is a numeric value representing the action the user performed. The corresponding name of the action type is in the AUDIT_ACTIONS table. For example, action 100 refers to LOGON. ', + name: 'oracle.database_audit.action_number', + type: 'keyword', + }, + 'oracle.database_audit.database.id': { + category: 'oracle', + description: + 'Database identifier calculated when the database is created. It corresponds to the DBID column of the V$DATABASE data dictionary view. ', + name: 'oracle.database_audit.database.id', + type: 'keyword', + }, + 'oracle.database_audit.length': { + category: 'oracle', + description: + 'Refers to the total number of bytes used in this audit record. This number includes the trailing newline bytes (\\n), if any, at the end of the audit record. ', + name: 'oracle.database_audit.length', + type: 'long', + }, 'panw.panos.ruleset': { category: 'panw', description: 'Name of the rule that matched this session. ', @@ -23420,6 +27553,12 @@ export const fieldsBeat: BeatFields = { name: 'panw.panos.destination.nat.port', type: 'long', }, + 'panw.panos.endreason': { + category: 'panw', + description: 'The reason a session terminated. ', + name: 'panw.panos.endreason', + type: 'keyword', + }, 'panw.panos.network.pcap_id': { category: 'panw', description: 'Packet capture ID for a threat. ', @@ -23482,6 +27621,16 @@ export const fieldsBeat: BeatFields = { name: 'panw.panos.action', type: 'keyword', }, + 'panw.panos.type': { + category: 'panw', + description: 'Specifies the type of the log', + name: 'panw.panos.type', + }, + 'panw.panos.sub_type': { + category: 'panw', + description: 'Specifies the sub type of the log', + name: 'panw.panos.sub_type', + }, 'rabbitmq.log.pid': { category: 'rabbitmq', description: 'The Erlang process id', @@ -23489,6 +27638,207 @@ export const fieldsBeat: BeatFields = { name: 'rabbitmq.log.pid', type: 'keyword', }, + 'snyk.projects': { + category: 'snyk', + description: 'Array with all related projects objects. ', + name: 'snyk.projects', + type: 'flattened', + }, + 'snyk.related.projects': { + category: 'snyk', + description: "Array of all the related project ID's. ", + name: 'snyk.related.projects', + type: 'keyword', + }, + 'snyk.audit.org_id': { + category: 'snyk', + description: 'ID of the related Organization related to the event. ', + name: 'snyk.audit.org_id', + type: 'keyword', + }, + 'snyk.audit.project_id': { + category: 'snyk', + description: 'ID of the project related to the event. ', + name: 'snyk.audit.project_id', + type: 'keyword', + }, + 'snyk.audit.content': { + category: 'snyk', + description: 'Overview of the content that was changed, both old and new values. ', + name: 'snyk.audit.content', + type: 'flattened', + }, + 'snyk.vulnerabilities.cvss3': { + category: 'snyk', + description: 'CSSv3 scores. ', + name: 'snyk.vulnerabilities.cvss3', + type: 'keyword', + }, + 'snyk.vulnerabilities.disclosure_time': { + category: 'snyk', + description: + 'The time this vulnerability was originally disclosed to the package maintainers. ', + name: 'snyk.vulnerabilities.disclosure_time', + type: 'date', + }, + 'snyk.vulnerabilities.exploit_maturity': { + category: 'snyk', + description: 'The Snyk exploit maturity level. ', + name: 'snyk.vulnerabilities.exploit_maturity', + type: 'keyword', + }, + 'snyk.vulnerabilities.id': { + category: 'snyk', + description: 'The vulnerability reference ID. ', + name: 'snyk.vulnerabilities.id', + type: 'keyword', + }, + 'snyk.vulnerabilities.is_ignored': { + category: 'snyk', + description: 'If the vulnerability report has been ignored. ', + name: 'snyk.vulnerabilities.is_ignored', + type: 'boolean', + }, + 'snyk.vulnerabilities.is_patchable': { + category: 'snyk', + description: 'If vulnerability is fixable by using a Snyk supplied patch. ', + name: 'snyk.vulnerabilities.is_patchable', + type: 'boolean', + }, + 'snyk.vulnerabilities.is_patched': { + category: 'snyk', + description: 'If the vulnerability has been patched. ', + name: 'snyk.vulnerabilities.is_patched', + type: 'boolean', + }, + 'snyk.vulnerabilities.is_pinnable': { + category: 'snyk', + description: 'If the vulnerability is fixable by pinning a transitive dependency. ', + name: 'snyk.vulnerabilities.is_pinnable', + type: 'boolean', + }, + 'snyk.vulnerabilities.is_upgradable': { + category: 'snyk', + description: 'If the vulnerability fixable by upgrading a dependency. ', + name: 'snyk.vulnerabilities.is_upgradable', + type: 'boolean', + }, + 'snyk.vulnerabilities.language': { + category: 'snyk', + description: "The package's programming language. ", + name: 'snyk.vulnerabilities.language', + type: 'keyword', + }, + 'snyk.vulnerabilities.package': { + category: 'snyk', + description: 'The package identifier according to its package manager. ', + name: 'snyk.vulnerabilities.package', + type: 'keyword', + }, + 'snyk.vulnerabilities.package_manager': { + category: 'snyk', + description: 'The package manager. ', + name: 'snyk.vulnerabilities.package_manager', + type: 'keyword', + }, + 'snyk.vulnerabilities.patches': { + category: 'snyk', + description: 'Patches required to resolve the issue created by Snyk. ', + name: 'snyk.vulnerabilities.patches', + type: 'flattened', + }, + 'snyk.vulnerabilities.priority_score': { + category: 'snyk', + description: 'The CVS priority score. ', + name: 'snyk.vulnerabilities.priority_score', + type: 'long', + }, + 'snyk.vulnerabilities.publication_time': { + category: 'snyk', + description: 'The vulnerability publication time. ', + name: 'snyk.vulnerabilities.publication_time', + type: 'date', + }, + 'snyk.vulnerabilities.jira_issue_url': { + category: 'snyk', + description: 'Link to the related Jira issue. ', + name: 'snyk.vulnerabilities.jira_issue_url', + type: 'keyword', + }, + 'snyk.vulnerabilities.original_severity': { + category: 'snyk', + description: 'The original severity of the vulnerability. ', + name: 'snyk.vulnerabilities.original_severity', + type: 'long', + }, + 'snyk.vulnerabilities.reachability': { + category: 'snyk', + description: + 'If the vulnerable function from the library is used in the code scanned. Can either be No Info, Potentially reachable and Reachable. ', + name: 'snyk.vulnerabilities.reachability', + type: 'keyword', + }, + 'snyk.vulnerabilities.title': { + category: 'snyk', + description: 'The issue title. ', + name: 'snyk.vulnerabilities.title', + type: 'keyword', + }, + 'snyk.vulnerabilities.type': { + category: 'snyk', + description: 'The issue type. Can be either "license" or "vulnerability". ', + name: 'snyk.vulnerabilities.type', + type: 'keyword', + }, + 'snyk.vulnerabilities.unique_severities_list': { + category: 'snyk', + description: 'A list of related unique severities. ', + name: 'snyk.vulnerabilities.unique_severities_list', + type: 'keyword', + }, + 'snyk.vulnerabilities.version': { + category: 'snyk', + description: 'The package version this issue is applicable to. ', + name: 'snyk.vulnerabilities.version', + type: 'keyword', + }, + 'snyk.vulnerabilities.introduced_date': { + category: 'snyk', + description: 'The date the vulnerability was initially found. ', + name: 'snyk.vulnerabilities.introduced_date', + type: 'date', + }, + 'snyk.vulnerabilities.is_fixed': { + category: 'snyk', + description: 'If the related vulnerability has been resolved. ', + name: 'snyk.vulnerabilities.is_fixed', + type: 'boolean', + }, + 'snyk.vulnerabilities.credit': { + category: 'snyk', + description: 'Reference to the person that original found the vulnerability. ', + name: 'snyk.vulnerabilities.credit', + type: 'keyword', + }, + 'snyk.vulnerabilities.semver': { + category: 'snyk', + description: + 'One or more semver ranges this issue is applicable to. The format varies according to package manager. ', + name: 'snyk.vulnerabilities.semver', + type: 'flattened', + }, + 'snyk.vulnerabilities.identifiers.alternative': { + category: 'snyk', + description: 'Additional vulnerability identifiers. ', + name: 'snyk.vulnerabilities.identifiers.alternative', + type: 'keyword', + }, + 'snyk.vulnerabilities.identifiers.cwe': { + category: 'snyk', + description: 'CWE vulnerability identifiers. ', + name: 'snyk.vulnerabilities.identifiers.cwe', + type: 'keyword', + }, 'sophos.xg.device': { category: 'sophos', description: 'device ', @@ -24845,16 +29195,17 @@ export const fieldsBeat: BeatFields = { name: 'suricata.eve.http.http_content_type', type: 'keyword', }, - 'suricata.eve.timestamp': { - category: 'suricata', - name: 'suricata.eve.timestamp', - type: 'alias', - }, 'suricata.eve.in_iface': { category: 'suricata', name: 'suricata.eve.in_iface', type: 'keyword', }, + 'suricata.eve.alert.metadata': { + category: 'suricata', + description: 'Metadata about the alert.', + name: 'suricata.eve.alert.metadata', + type: 'flattened', + }, 'suricata.eve.alert.category': { category: 'suricata', name: 'suricata.eve.alert.category', @@ -25600,11 +29951,6 @@ export const fieldsBeat: BeatFields = { name: 'suricata.eve.flow.pkts_toserver', type: 'alias', }, - 'suricata.eve.flow.end': { - category: 'suricata', - name: 'suricata.eve.flow.end', - type: 'date', - }, 'suricata.eve.flow.alerted': { category: 'suricata', name: 'suricata.eve.flow.alerted', @@ -25650,6 +29996,838 @@ export const fieldsBeat: BeatFields = { name: 'suricata.eve.flags', type: 'group', }, + 'threatintel.indicator.first_seen': { + category: 'threatintel', + description: + 'The date and time when intelligence source first reported sighting this indicator. ', + name: 'threatintel.indicator.first_seen', + type: 'keyword', + }, + 'threatintel.indicator.last_seen': { + category: 'threatintel', + description: + 'The date and time when intelligence source last reported sighting this indicator. ', + name: 'threatintel.indicator.last_seen', + type: 'date', + }, + 'threatintel.indicator.sightings': { + category: 'threatintel', + description: 'Number of times this indicator was observed conducting threat activity. ', + name: 'threatintel.indicator.sightings', + type: 'long', + }, + 'threatintel.indicator.type': { + category: 'threatintel', + description: + 'Type of indicator as represented by Cyber Observable in STIX 2.0. Expected values * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * process * software * url * user-account * windows-registry-key * x-509-certificate ', + name: 'threatintel.indicator.type', + type: 'keyword', + }, + 'threatintel.indicator.description': { + category: 'threatintel', + description: 'Describes the type of action conducted by the threat. ', + name: 'threatintel.indicator.description', + type: 'keyword', + }, + 'threatintel.indicator.scanner_stats': { + category: 'threatintel', + description: 'Count of AV/EDR vendors that successfully detected malicious file or URL. ', + name: 'threatintel.indicator.scanner_stats', + type: 'long', + }, + 'threatintel.indicator.provider': { + category: 'threatintel', + description: 'Identifies the name of the intelligence provider. ', + name: 'threatintel.indicator.provider', + type: 'keyword', + }, + 'threatintel.indicator.confidence': { + category: 'threatintel', + description: + 'Identifies the confidence rating assigned by the provider using STIX confidence scales. Expected values * Not Specified, None, Low, Medium, High * 0-10 * Admirality Scale (1-6) * DNI Scale (5-95) * WEP Scale (Impossible - Certain) ', + name: 'threatintel.indicator.confidence', + type: 'keyword', + }, + 'threatintel.indicator.module': { + category: 'threatintel', + description: 'Identifies the name of specific module this data is coming from. ', + name: 'threatintel.indicator.module', + type: 'keyword', + }, + 'threatintel.indicator.dataset': { + category: 'threatintel', + description: 'Identifies the name of specific dataset from the intelligence source. ', + name: 'threatintel.indicator.dataset', + type: 'keyword', + }, + 'threatintel.indicator.ip': { + category: 'threatintel', + description: 'Identifies a threat indicator as an IP address (irrespective of direction). ', + name: 'threatintel.indicator.ip', + type: 'ip', + }, + 'threatintel.indicator.domain': { + category: 'threatintel', + description: 'Identifies a threat indicator as a domain (irrespective of direction). ', + name: 'threatintel.indicator.domain', + type: 'keyword', + }, + 'threatintel.indicator.port': { + category: 'threatintel', + description: 'Identifies a threat indicator as a port number (irrespective of direction). ', + name: 'threatintel.indicator.port', + type: 'long', + }, + 'threatintel.indicator.email.address': { + category: 'threatintel', + description: 'Identifies a threat indicator as an email address (irrespective of direction). ', + name: 'threatintel.indicator.email.address', + type: 'keyword', + }, + 'threatintel.indicator.marking.tlp': { + category: 'threatintel', + description: + 'Traffic Light Protocol sharing markings. Expected values are: * White * Green * Amber * Red ', + name: 'threatintel.indicator.marking.tlp', + type: 'keyword', + }, + 'threatintel.indicator.matched.atomic': { + category: 'threatintel', + description: + 'Identifies the atomic indicator that matched a local environment endpoint or network event. ', + name: 'threatintel.indicator.matched.atomic', + type: 'keyword', + }, + 'threatintel.indicator.matched.field': { + category: 'threatintel', + description: + 'Identifies the field of the atomic indicator that matched a local environment endpoint or network event. ', + name: 'threatintel.indicator.matched.field', + type: 'keyword', + }, + 'threatintel.indicator.matched.type': { + category: 'threatintel', + description: + 'Identifies the type of the atomic indicator that matched a local environment endpoint or network event. ', + name: 'threatintel.indicator.matched.type', + type: 'keyword', + }, + 'threatintel.indicator.as.number': { + category: 'threatintel', + description: + 'Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.', + example: 15169, + name: 'threatintel.indicator.as.number', + type: 'long', + }, + 'threatintel.indicator.as.organization.name': { + category: 'threatintel', + description: 'Organization name.', + example: 'Google LLC', + name: 'threatintel.indicator.as.organization.name', + type: 'keyword', + }, + 'threatintel.indicator.registry.data.strings': { + category: 'threatintel', + description: + 'Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). ', + example: '["C:\\rta\\red_ttp\\bin\\myapp.exe"]', + name: 'threatintel.indicator.registry.data.strings', + type: 'keyword', + }, + 'threatintel.indicator.registry.path': { + category: 'threatintel', + description: 'Full path, including hive, key and value', + example: + 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\winword.exe\\Debugger', + name: 'threatintel.indicator.registry.path', + type: 'keyword', + }, + 'threatintel.indicator.registry.value': { + category: 'threatintel', + description: 'Name of the value written.', + example: 'Debugger', + name: 'threatintel.indicator.registry.value', + type: 'keyword', + }, + 'threatintel.indicator.registry.key': { + category: 'threatintel', + description: 'Registry key value', + name: 'threatintel.indicator.registry.key', + type: 'keyword', + }, + 'threatintel.indicator.geo.geo.city_name': { + category: 'threatintel', + description: 'City name.', + example: 'Montreal', + name: 'threatintel.indicator.geo.geo.city_name', + type: 'keyword', + }, + 'threatintel.indicator.geo.geo.country_iso_code': { + category: 'threatintel', + description: 'Country ISO code.', + example: 'CA', + name: 'threatintel.indicator.geo.geo.country_iso_code', + type: 'keyword', + }, + 'threatintel.indicator.geo.geo.country_name': { + category: 'threatintel', + description: 'Country name.', + example: 'Canada', + name: 'threatintel.indicator.geo.geo.country_name', + type: 'keyword', + }, + 'threatintel.indicator.geo.geo.location': { + category: 'threatintel', + description: 'Longitude and latitude.', + example: '{ "lon": -73.614830, "lat": 45.505918 }', + name: 'threatintel.indicator.geo.geo.location', + type: 'geo_point', + }, + 'threatintel.indicator.geo.geo.region_iso_code': { + category: 'threatintel', + description: 'Region ISO code.', + example: 'CA-QC', + name: 'threatintel.indicator.geo.geo.region_iso_code', + type: 'keyword', + }, + 'threatintel.indicator.geo.geo.region_name': { + category: 'threatintel', + description: 'Region name.', + example: 'Quebec', + name: 'threatintel.indicator.geo.geo.region_name', + type: 'keyword', + }, + 'threatintel.indicator.file.pe.imphash': { + category: 'threatintel', + description: + 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.', + example: '0c6803c4e922103c4dca5963aad36ddf', + name: 'threatintel.indicator.file.pe.imphash', + type: 'keyword', + }, + 'threatintel.indicator.file.hash.tlsh': { + category: 'threatintel', + description: "The file's import tlsh, if available. ", + name: 'threatintel.indicator.file.hash.tlsh', + type: 'keyword', + }, + 'threatintel.indicator.file.hash.ssdeep': { + category: 'threatintel', + description: "The file's ssdeep hash, if available. ", + name: 'threatintel.indicator.file.hash.ssdeep', + type: 'keyword', + }, + 'threatintel.indicator.file.hash.md5': { + category: 'threatintel', + description: "The file's md5 hash, if available. ", + name: 'threatintel.indicator.file.hash.md5', + type: 'keyword', + }, + 'threatintel.indicator.file.hash.sha1': { + category: 'threatintel', + description: "The file's sha1 hash, if available. ", + name: 'threatintel.indicator.file.hash.sha1', + type: 'keyword', + }, + 'threatintel.indicator.file.hash.sha256': { + category: 'threatintel', + description: "The file's sha256 hash, if available. ", + name: 'threatintel.indicator.file.hash.sha256', + type: 'keyword', + }, + 'threatintel.indicator.file.hash.sha512': { + category: 'threatintel', + description: "The file's sha512 hash, if available. ", + name: 'threatintel.indicator.file.hash.sha512', + type: 'keyword', + }, + 'threatintel.indicator.file.type': { + category: 'threatintel', + description: 'The file type ', + name: 'threatintel.indicator.file.type', + type: 'keyword', + }, + 'threatintel.indicator.file.size': { + category: 'threatintel', + description: "The file's total size ", + name: 'threatintel.indicator.file.size', + type: 'long', + }, + 'threatintel.indicator.file.name': { + category: 'threatintel', + description: "The file's name ", + name: 'threatintel.indicator.file.name', + type: 'keyword', + }, + 'threatintel.indicator.url.domain': { + category: 'threatintel', + description: 'Domain of the url, such as "www.elastic.co". ', + name: 'threatintel.indicator.url.domain', + type: 'keyword', + }, + 'threatintel.indicator.url.extension': { + category: 'threatintel', + description: 'The field contains the file extension from the original request ', + name: 'threatintel.indicator.url.extension', + type: 'keyword', + }, + 'threatintel.indicator.url.fragment': { + category: 'threatintel', + description: 'Portion of the url after the `#`, such as "top". ', + name: 'threatintel.indicator.url.fragment', + type: 'keyword', + }, + 'threatintel.indicator.url.full': { + category: 'threatintel', + description: + 'If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. ', + name: 'threatintel.indicator.url.full', + type: 'keyword', + }, + 'threatintel.indicator.url.original': { + category: 'threatintel', + description: + 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. ', + name: 'threatintel.indicator.url.original', + type: 'keyword', + }, + 'threatintel.indicator.url.password': { + category: 'threatintel', + description: 'Password of the request. ', + name: 'threatintel.indicator.url.password', + type: 'keyword', + }, + 'threatintel.indicator.url.path': { + category: 'threatintel', + description: 'Path of the request, such as "/search". ', + name: 'threatintel.indicator.url.path', + type: 'keyword', + }, + 'threatintel.indicator.url.port': { + category: 'threatintel', + description: 'Port of the request, such as 443. ', + name: 'threatintel.indicator.url.port', + type: 'long', + format: 'string', + }, + 'threatintel.indicator.url.query': { + category: 'threatintel', + description: + 'The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. ', + name: 'threatintel.indicator.url.query', + type: 'keyword', + }, + 'threatintel.indicator.url.registered_domain': { + category: 'threatintel', + description: + 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". ', + name: 'threatintel.indicator.url.registered_domain', + type: 'keyword', + }, + 'threatintel.indicator.url.scheme': { + category: 'threatintel', + description: 'Scheme of the request, such as "https". ', + name: 'threatintel.indicator.url.scheme', + type: 'keyword', + }, + 'threatintel.indicator.url.subdomain': { + category: 'threatintel', + description: + 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. ', + name: 'threatintel.indicator.url.subdomain', + type: 'keyword', + }, + 'threatintel.indicator.url.top_level_domain': { + category: 'threatintel', + description: + 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". ', + name: 'threatintel.indicator.url.top_level_domain', + type: 'keyword', + }, + 'threatintel.indicator.url.username': { + category: 'threatintel', + description: 'Username of the request. ', + name: 'threatintel.indicator.url.username', + type: 'keyword', + }, + 'threatintel.indicator.x509.serial_number': { + category: 'threatintel', + description: + 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.', + example: '55FBB9C7DEBF09809D12CCAA', + name: 'threatintel.indicator.x509.serial_number', + type: 'keyword', + }, + 'threatintel.indicator.x509.issuer': { + category: 'threatintel', + description: + 'Name of issuing certificate authority. Could be either Distinguished Name (DN) or Common Name (CN), depending on source.', + example: 'C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA', + name: 'threatintel.indicator.x509.issuer', + type: 'keyword', + }, + 'threatintel.indicator.x509.subject': { + category: 'threatintel', + description: + 'Name of the certificate subject entity. Could be either Distinguished Name (DN) or Common Name (CN), depending on source.', + example: 'C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net', + name: 'threatintel.indicator.x509.subject', + type: 'keyword', + }, + 'threatintel.indicator.x509.alternative_names': { + category: 'threatintel', + description: + 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', + example: '*.elastic.co', + name: 'threatintel.indicator.x509.alternative_names', + type: 'keyword', + }, + 'threatintel.abusemalware.file_type': { + category: 'threatintel', + description: 'File type guessed by URLhaus. ', + name: 'threatintel.abusemalware.file_type', + type: 'keyword', + }, + 'threatintel.abusemalware.signature': { + category: 'threatintel', + description: 'Malware familiy. ', + name: 'threatintel.abusemalware.signature', + type: 'keyword', + }, + 'threatintel.abusemalware.urlhaus_download': { + category: 'threatintel', + description: 'Location (URL) where you can download a copy of this file. ', + name: 'threatintel.abusemalware.urlhaus_download', + type: 'keyword', + }, + 'threatintel.abusemalware.virustotal.result': { + category: 'threatintel', + description: 'AV detection ration. ', + name: 'threatintel.abusemalware.virustotal.result', + type: 'keyword', + }, + 'threatintel.abusemalware.virustotal.percent': { + category: 'threatintel', + description: 'AV detection in percent. ', + name: 'threatintel.abusemalware.virustotal.percent', + type: 'float', + }, + 'threatintel.abusemalware.virustotal.link': { + category: 'threatintel', + description: 'Link to the Virustotal report. ', + name: 'threatintel.abusemalware.virustotal.link', + type: 'keyword', + }, + 'threatintel.abuseurl.id': { + category: 'threatintel', + description: 'The ID of the url. ', + name: 'threatintel.abuseurl.id', + type: 'keyword', + }, + 'threatintel.abuseurl.urlhaus_reference': { + category: 'threatintel', + description: 'Link to URLhaus entry. ', + name: 'threatintel.abuseurl.urlhaus_reference', + type: 'keyword', + }, + 'threatintel.abuseurl.url_status': { + category: 'threatintel', + description: + 'The current status of the URL. Possible values are: online, offline and unknown. ', + name: 'threatintel.abuseurl.url_status', + type: 'keyword', + }, + 'threatintel.abuseurl.threat': { + category: 'threatintel', + description: 'The threat corresponding to this malware URL. ', + name: 'threatintel.abuseurl.threat', + type: 'keyword', + }, + 'threatintel.abuseurl.blacklists.surbl': { + category: 'threatintel', + description: 'SURBL blacklist status. Possible values are: listed and not_listed ', + name: 'threatintel.abuseurl.blacklists.surbl', + type: 'keyword', + }, + 'threatintel.abuseurl.blacklists.spamhaus_dbl': { + category: 'threatintel', + description: 'Spamhaus DBL blacklist status. ', + name: 'threatintel.abuseurl.blacklists.spamhaus_dbl', + type: 'keyword', + }, + 'threatintel.abuseurl.reporter': { + category: 'threatintel', + description: + 'The Twitter handle of the reporter that has reported this malware URL (or anonymous). ', + name: 'threatintel.abuseurl.reporter', + type: 'keyword', + }, + 'threatintel.abuseurl.larted': { + category: 'threatintel', + description: + 'Indicates whether the malware URL has been reported to the hosting provider (true or false) ', + name: 'threatintel.abuseurl.larted', + type: 'boolean', + }, + 'threatintel.abuseurl.tags': { + category: 'threatintel', + description: 'A list of tags associated with the queried malware URL ', + name: 'threatintel.abuseurl.tags', + type: 'keyword', + }, + 'threatintel.anomali.id': { + category: 'threatintel', + description: 'The ID of the indicator. ', + name: 'threatintel.anomali.id', + type: 'keyword', + }, + 'threatintel.anomali.name': { + category: 'threatintel', + description: 'The name of the indicator. ', + name: 'threatintel.anomali.name', + type: 'keyword', + }, + 'threatintel.anomali.pattern': { + category: 'threatintel', + description: 'The pattern ID of the indicator. ', + name: 'threatintel.anomali.pattern', + type: 'keyword', + }, + 'threatintel.anomali.valid_from': { + category: 'threatintel', + description: 'When the indicator was first found or is considered valid. ', + name: 'threatintel.anomali.valid_from', + type: 'date', + }, + 'threatintel.anomali.modified': { + category: 'threatintel', + description: 'When the indicator was last modified ', + name: 'threatintel.anomali.modified', + type: 'date', + }, + 'threatintel.anomali.labels': { + category: 'threatintel', + description: 'The labels related to the indicator ', + name: 'threatintel.anomali.labels', + type: 'keyword', + }, + 'threatintel.anomali.indicator': { + category: 'threatintel', + description: + 'The value of the indicator, for example if the type is domain, this would be the value. ', + name: 'threatintel.anomali.indicator', + type: 'keyword', + }, + 'threatintel.anomali.description': { + category: 'threatintel', + description: 'A description of the indicator. ', + name: 'threatintel.anomali.description', + type: 'keyword', + }, + 'threatintel.anomali.title': { + category: 'threatintel', + description: 'Title describing the indicator. ', + name: 'threatintel.anomali.title', + type: 'keyword', + }, + 'threatintel.anomali.content': { + category: 'threatintel', + description: 'Extra text or descriptive content related to the indicator. ', + name: 'threatintel.anomali.content', + type: 'keyword', + }, + 'threatintel.anomali.type': { + category: 'threatintel', + description: 'The indicator type, can for example be "domain, email, FileHash-SHA256". ', + name: 'threatintel.anomali.type', + type: 'keyword', + }, + 'threatintel.anomali.object_marking_refs': { + category: 'threatintel', + description: 'The STIX reference object. ', + name: 'threatintel.anomali.object_marking_refs', + type: 'keyword', + }, + 'threatintel.misp.id': { + category: 'threatintel', + description: 'Attribute ID. ', + name: 'threatintel.misp.id', + type: 'keyword', + }, + 'threatintel.misp.orgc_id': { + category: 'threatintel', + description: 'Organization Community ID of the event. ', + name: 'threatintel.misp.orgc_id', + type: 'keyword', + }, + 'threatintel.misp.org_id': { + category: 'threatintel', + description: 'Organization ID of the event. ', + name: 'threatintel.misp.org_id', + type: 'keyword', + }, + 'threatintel.misp.threat_level_id': { + category: 'threatintel', + description: 'Threat level from 5 to 1, where 1 is the most critical. ', + name: 'threatintel.misp.threat_level_id', + type: 'long', + }, + 'threatintel.misp.info': { + category: 'threatintel', + description: 'Additional text or information related to the event. ', + name: 'threatintel.misp.info', + type: 'keyword', + }, + 'threatintel.misp.published': { + category: 'threatintel', + description: 'When the event was published. ', + name: 'threatintel.misp.published', + type: 'boolean', + }, + 'threatintel.misp.uuid': { + category: 'threatintel', + description: 'The UUID of the event object. ', + name: 'threatintel.misp.uuid', + type: 'keyword', + }, + 'threatintel.misp.date': { + category: 'threatintel', + description: 'The date of when the event object was created. ', + name: 'threatintel.misp.date', + type: 'date', + }, + 'threatintel.misp.attribute_count': { + category: 'threatintel', + description: 'How many attributes are included in a single event object. ', + name: 'threatintel.misp.attribute_count', + type: 'long', + }, + 'threatintel.misp.timestamp': { + category: 'threatintel', + description: 'The timestamp of when the event object was created. ', + name: 'threatintel.misp.timestamp', + type: 'date', + }, + 'threatintel.misp.distribution': { + category: 'threatintel', + description: 'Distribution type related to MISP. ', + name: 'threatintel.misp.distribution', + type: 'keyword', + }, + 'threatintel.misp.proposal_email_lock': { + category: 'threatintel', + description: 'Settings configured on MISP for email lock on this event object. ', + name: 'threatintel.misp.proposal_email_lock', + type: 'boolean', + }, + 'threatintel.misp.locked': { + category: 'threatintel', + description: 'If the current MISP event object is locked or not. ', + name: 'threatintel.misp.locked', + type: 'boolean', + }, + 'threatintel.misp.publish_timestamp': { + category: 'threatintel', + description: 'At what time the event object was published ', + name: 'threatintel.misp.publish_timestamp', + type: 'date', + }, + 'threatintel.misp.sharing_group_id': { + category: 'threatintel', + description: 'The ID of the grouped events or sources of the event. ', + name: 'threatintel.misp.sharing_group_id', + type: 'keyword', + }, + 'threatintel.misp.disable_correlation': { + category: 'threatintel', + description: 'If correlation is disabled on the MISP event object. ', + name: 'threatintel.misp.disable_correlation', + type: 'boolean', + }, + 'threatintel.misp.extends_uuid': { + category: 'threatintel', + description: 'The UUID of the event object it might extend. ', + name: 'threatintel.misp.extends_uuid', + type: 'keyword', + }, + 'threatintel.misp.org.id': { + category: 'threatintel', + description: 'The organization ID related to the event object. ', + name: 'threatintel.misp.org.id', + type: 'keyword', + }, + 'threatintel.misp.org.name': { + category: 'threatintel', + description: 'The organization name related to the event object. ', + name: 'threatintel.misp.org.name', + type: 'keyword', + }, + 'threatintel.misp.org.uuid': { + category: 'threatintel', + description: 'The UUID of the organization related to the event object. ', + name: 'threatintel.misp.org.uuid', + type: 'keyword', + }, + 'threatintel.misp.org.local': { + category: 'threatintel', + description: 'If the event object is local or from a remote source. ', + name: 'threatintel.misp.org.local', + type: 'boolean', + }, + 'threatintel.misp.orgc.id': { + category: 'threatintel', + description: 'The Organization Community ID in which the event object was reported from. ', + name: 'threatintel.misp.orgc.id', + type: 'keyword', + }, + 'threatintel.misp.orgc.name': { + category: 'threatintel', + description: 'The Organization Community name in which the event object was reported from. ', + name: 'threatintel.misp.orgc.name', + type: 'keyword', + }, + 'threatintel.misp.orgc.uuid': { + category: 'threatintel', + description: 'The Organization Community UUID in which the event object was reported from. ', + name: 'threatintel.misp.orgc.uuid', + type: 'keyword', + }, + 'threatintel.misp.orgc.local': { + category: 'threatintel', + description: 'If the Organization Community was local or synced from a remote source. ', + name: 'threatintel.misp.orgc.local', + type: 'boolean', + }, + 'threatintel.misp.attribute.id': { + category: 'threatintel', + description: 'The ID of the attribute related to the event object. ', + name: 'threatintel.misp.attribute.id', + type: 'keyword', + }, + 'threatintel.misp.attribute.type': { + category: 'threatintel', + description: + 'The type of the attribute related to the event object. For example email, ipv4, sha1 and such. ', + name: 'threatintel.misp.attribute.type', + type: 'keyword', + }, + 'threatintel.misp.attribute.category': { + category: 'threatintel', + description: + 'The category of the attribute related to the event object. For example "Network Activity". ', + name: 'threatintel.misp.attribute.category', + type: 'keyword', + }, + 'threatintel.misp.attribute.to_ids': { + category: 'threatintel', + description: 'If the attribute should be automatically synced with an IDS. ', + name: 'threatintel.misp.attribute.to_ids', + type: 'boolean', + }, + 'threatintel.misp.attribute.uuid': { + category: 'threatintel', + description: 'The UUID of the attribute related to the event. ', + name: 'threatintel.misp.attribute.uuid', + type: 'keyword', + }, + 'threatintel.misp.attribute.event_id': { + category: 'threatintel', + description: 'The local event ID of the attribute related to the event. ', + name: 'threatintel.misp.attribute.event_id', + type: 'keyword', + }, + 'threatintel.misp.attribute.distribution': { + category: 'threatintel', + description: 'How the attribute has been distributed, represented by integer numbers. ', + name: 'threatintel.misp.attribute.distribution', + type: 'long', + }, + 'threatintel.misp.attribute.timestamp': { + category: 'threatintel', + description: 'The timestamp in which the attribute was attached to the event object. ', + name: 'threatintel.misp.attribute.timestamp', + type: 'date', + }, + 'threatintel.misp.attribute.comment': { + category: 'threatintel', + description: 'Comments made to the attribute itself. ', + name: 'threatintel.misp.attribute.comment', + type: 'keyword', + }, + 'threatintel.misp.attribute.sharing_group_id': { + category: 'threatintel', + description: 'The group ID of the sharing group related to the specific attribute. ', + name: 'threatintel.misp.attribute.sharing_group_id', + type: 'keyword', + }, + 'threatintel.misp.attribute.deleted': { + category: 'threatintel', + description: 'If the attribute has been removed from the event object. ', + name: 'threatintel.misp.attribute.deleted', + type: 'boolean', + }, + 'threatintel.misp.attribute.disable_correlation': { + category: 'threatintel', + description: 'If correlation has been enabled on the attribute related to the event object. ', + name: 'threatintel.misp.attribute.disable_correlation', + type: 'boolean', + }, + 'threatintel.misp.attribute.object_id': { + category: 'threatintel', + description: 'The ID of the Object in which the attribute is attached. ', + name: 'threatintel.misp.attribute.object_id', + type: 'keyword', + }, + 'threatintel.misp.attribute.object_relation': { + category: 'threatintel', + description: 'The type of relation the attribute has with the event object itself. ', + name: 'threatintel.misp.attribute.object_relation', + type: 'keyword', + }, + 'threatintel.misp.attribute.value': { + category: 'threatintel', + description: 'The value of the attribute, depending on the type like "url, sha1, email-src". ', + name: 'threatintel.misp.attribute.value', + type: 'keyword', + }, + 'threatintel.otx.id': { + category: 'threatintel', + description: 'The ID of the indicator. ', + name: 'threatintel.otx.id', + type: 'keyword', + }, + 'threatintel.otx.indicator': { + category: 'threatintel', + description: + 'The value of the indicator, for example if the type is domain, this would be the value. ', + name: 'threatintel.otx.indicator', + type: 'keyword', + }, + 'threatintel.otx.description': { + category: 'threatintel', + description: 'A description of the indicator. ', + name: 'threatintel.otx.description', + type: 'keyword', + }, + 'threatintel.otx.title': { + category: 'threatintel', + description: 'Title describing the indicator. ', + name: 'threatintel.otx.title', + type: 'keyword', + }, + 'threatintel.otx.content': { + category: 'threatintel', + description: 'Extra text or descriptive content related to the indicator. ', + name: 'threatintel.otx.content', + type: 'keyword', + }, + 'threatintel.otx.type': { + category: 'threatintel', + description: 'The indicator type, can for example be "domain, email, FileHash-SHA256". ', + name: 'threatintel.otx.type', + type: 'keyword', + }, 'zeek.session_id': { category: 'zeek', description: 'A unique identifier of the session ', @@ -27358,6 +32536,42 @@ export const fieldsBeat: BeatFields = { name: 'zeek.rfb.height', type: 'integer', }, + 'zeek.signature.note': { + category: 'zeek', + description: 'Notice associated with signature event. ', + name: 'zeek.signature.note', + type: 'keyword', + }, + 'zeek.signature.sig_id': { + category: 'zeek', + description: 'The name of the signature that matched. ', + name: 'zeek.signature.sig_id', + type: 'keyword', + }, + 'zeek.signature.event_msg': { + category: 'zeek', + description: 'A more descriptive message of the signature-matching event. ', + name: 'zeek.signature.event_msg', + type: 'keyword', + }, + 'zeek.signature.sub_msg': { + category: 'zeek', + description: 'Extracted payload data or extra message. ', + name: 'zeek.signature.sub_msg', + type: 'keyword', + }, + 'zeek.signature.sig_count': { + category: 'zeek', + description: 'Number of sigs, usually from summary count. ', + name: 'zeek.signature.sig_count', + type: 'integer', + }, + 'zeek.signature.host_count': { + category: 'zeek', + description: 'Number of hosts, from a summary count. ', + name: 'zeek.signature.host_count', + type: 'integer', + }, 'zeek.sip.transaction_depth': { category: 'zeek', description: @@ -28650,22 +33864,965 @@ export const fieldsBeat: BeatFields = { name: 'zeek.x509.log_cert', type: 'boolean', }, - 'awscloudwatch.log_group': { - category: 'awscloudwatch', + 'zoom.master_account_id': { + category: 'zoom', + description: 'Master Account related to a specific Sub Account ', + name: 'zoom.master_account_id', + type: 'keyword', + }, + 'zoom.sub_account_id': { + category: 'zoom', + description: 'Related Sub Account ', + name: 'zoom.sub_account_id', + type: 'keyword', + }, + 'zoom.operator_id': { + category: 'zoom', + description: 'UserID that triggered the event ', + name: 'zoom.operator_id', + type: 'keyword', + }, + 'zoom.operator': { + category: 'zoom', + description: 'Username/Email related to the user that triggered the event ', + name: 'zoom.operator', + type: 'keyword', + }, + 'zoom.account_id': { + category: 'zoom', + description: 'Related accountID to the event ', + name: 'zoom.account_id', + type: 'keyword', + }, + 'zoom.timestamp': { + category: 'zoom', + description: 'Timestamp related to the event ', + name: 'zoom.timestamp', + type: 'date', + }, + 'zoom.creation_type': { + category: 'zoom', + description: 'Creation type ', + name: 'zoom.creation_type', + type: 'keyword', + }, + 'zoom.account.owner_id': { + category: 'zoom', + description: 'UserID of the user whose sub account was created/disassociated ', + name: 'zoom.account.owner_id', + type: 'keyword', + }, + 'zoom.account.email': { + category: 'zoom', + description: 'Email related to the user the action was performed on ', + name: 'zoom.account.email', + type: 'keyword', + }, + 'zoom.account.owner_email': { + category: 'zoom', + description: 'Email of the user whose sub account was created/disassociated ', + name: 'zoom.account.owner_email', + type: 'keyword', + }, + 'zoom.account.account_name': { + category: 'zoom', + description: 'When an account name is updated, this is the new value set ', + name: 'zoom.account.account_name', + type: 'keyword', + }, + 'zoom.account.account_alias': { + category: 'zoom', + description: 'When an account alias is updated, this is the new value set ', + name: 'zoom.account.account_alias', + type: 'keyword', + }, + 'zoom.account.account_support_name': { + category: 'zoom', + description: 'When an account support_name is updated, this is the new value set ', + name: 'zoom.account.account_support_name', + type: 'keyword', + }, + 'zoom.account.account_support_email': { + category: 'zoom', + description: 'When an account support_email is updated, this is the new value set ', + name: 'zoom.account.account_support_email', + type: 'keyword', + }, + 'zoom.chat_channel.name': { + category: 'zoom', + description: 'The name of the channel that has been added/modified/deleted ', + name: 'zoom.chat_channel.name', + type: 'keyword', + }, + 'zoom.chat_channel.id': { + category: 'zoom', + description: 'The ID of the channel that has been added/modified/deleted ', + name: 'zoom.chat_channel.id', + type: 'keyword', + }, + 'zoom.chat_channel.type': { + category: 'zoom', + description: + 'Type of channel related to the event. Can be 1(Invite-Only), 2(Private) or 3(Public) ', + name: 'zoom.chat_channel.type', + type: 'keyword', + }, + 'zoom.chat_message.id': { + category: 'zoom', + description: 'Unique ID of the related chat message ', + name: 'zoom.chat_message.id', + type: 'keyword', + }, + 'zoom.chat_message.type': { + category: 'zoom', + description: 'Type of message, can be either "to_contact" or "to_channel" ', + name: 'zoom.chat_message.type', + type: 'keyword', + }, + 'zoom.chat_message.session_id': { + category: 'zoom', + description: 'SessionID for the channel related to the message ', + name: 'zoom.chat_message.session_id', + type: 'keyword', + }, + 'zoom.chat_message.contact_email': { + category: 'zoom', + description: 'Email address related to the user sending the message ', + name: 'zoom.chat_message.contact_email', + type: 'keyword', + }, + 'zoom.chat_message.contact_id': { + category: 'zoom', + description: 'UserID belonging to the user receiving a message ', + name: 'zoom.chat_message.contact_id', + type: 'keyword', + }, + 'zoom.chat_message.channel_id': { + category: 'zoom', + description: 'ChannelID related to the message ', + name: 'zoom.chat_message.channel_id', + type: 'keyword', + }, + 'zoom.chat_message.channel_name': { + category: 'zoom', + description: 'Channel name related to the message ', + name: 'zoom.chat_message.channel_name', + type: 'keyword', + }, + 'zoom.chat_message.message': { + category: 'zoom', + description: 'A string containing the full message that was sent ', + name: 'zoom.chat_message.message', + type: 'keyword', + }, + 'zoom.meeting.id': { + category: 'zoom', + description: 'Unique ID of the related meeting ', + name: 'zoom.meeting.id', + type: 'keyword', + }, + 'zoom.meeting.uuid': { + category: 'zoom', + description: 'The UUID of the related meeting ', + name: 'zoom.meeting.uuid', + type: 'keyword', + }, + 'zoom.meeting.host_id': { + category: 'zoom', + description: 'The UserID of the configured meeting host ', + name: 'zoom.meeting.host_id', + type: 'keyword', + }, + 'zoom.meeting.topic': { + category: 'zoom', + description: 'Topic of the related meeting ', + name: 'zoom.meeting.topic', + type: 'keyword', + }, + 'zoom.meeting.type': { + category: 'zoom', + description: 'Type of meeting created ', + name: 'zoom.meeting.type', + type: 'keyword', + }, + 'zoom.meeting.start_time': { + category: 'zoom', + description: 'Date and time the meeting started ', + name: 'zoom.meeting.start_time', + type: 'date', + }, + 'zoom.meeting.timezone': { + category: 'zoom', + description: 'Which timezone is used for the meeting timestamps ', + name: 'zoom.meeting.timezone', + type: 'keyword', + }, + 'zoom.meeting.duration': { + category: 'zoom', + description: 'The duration of a meeting in minutes ', + name: 'zoom.meeting.duration', + type: 'long', + }, + 'zoom.meeting.issues': { + category: 'zoom', + description: + 'When a user reports an issue with the meeting, for example: "Unstable audio quality" ', + name: 'zoom.meeting.issues', + type: 'keyword', + }, + 'zoom.meeting.password': { + category: 'zoom', + description: 'Password related to the meeting ', + name: 'zoom.meeting.password', + type: 'keyword', + }, + 'zoom.phone.id': { + category: 'zoom', + description: 'Unique ID for the phone or conversation ', + name: 'zoom.phone.id', + type: 'keyword', + }, + 'zoom.phone.user_id': { + category: 'zoom', + description: 'UserID for the phone owner related to a Call Log being completed ', + name: 'zoom.phone.user_id', + type: 'keyword', + }, + 'zoom.phone.download_url': { + category: 'zoom', + description: 'Download URL for the voicemail ', + name: 'zoom.phone.download_url', + type: 'keyword', + }, + 'zoom.phone.ringing_start_time': { + category: 'zoom', + description: 'The timestamp when a ringtone was established to the callee ', + name: 'zoom.phone.ringing_start_time', + type: 'date', + }, + 'zoom.phone.connected_start_time': { + category: 'zoom', + description: 'The date and time when a ringtone was established to the callee ', + name: 'zoom.phone.connected_start_time', + type: 'date', + }, + 'zoom.phone.answer_start_time': { + category: 'zoom', + description: 'The date and time when the call was answered ', + name: 'zoom.phone.answer_start_time', + type: 'date', + }, + 'zoom.phone.call_end_time': { + category: 'zoom', + description: 'The date and time when the call ended ', + name: 'zoom.phone.call_end_time', + type: 'date', + }, + 'zoom.phone.call_id': { + category: 'zoom', + description: 'Unique ID of the related call ', + name: 'zoom.phone.call_id', + type: 'keyword', + }, + 'zoom.phone.duration': { + category: 'zoom', + description: 'Duration of a voicemail in minutes ', + name: 'zoom.phone.duration', + type: 'long', + }, + 'zoom.phone.caller.id': { + category: 'zoom', + description: 'UserID of the caller related to the voicemail/call ', + name: 'zoom.phone.caller.id', + type: 'keyword', + }, + 'zoom.phone.caller.user_id': { + category: 'zoom', + description: 'UserID of the person which initiated the call ', + name: 'zoom.phone.caller.user_id', + type: 'keyword', + }, + 'zoom.phone.caller.number_type': { + category: 'zoom', + description: 'The type of number, can be 1(Internal) or 2(External) ', + name: 'zoom.phone.caller.number_type', + type: 'keyword', + }, + 'zoom.phone.caller.name': { + category: 'zoom', + description: 'The name of the related callee ', + name: 'zoom.phone.caller.name', + type: 'keyword', + }, + 'zoom.phone.caller.phone_number': { + category: 'zoom', + description: 'Phone Number of the caller related to the call ', + name: 'zoom.phone.caller.phone_number', + type: 'keyword', + }, + 'zoom.phone.caller.extension_type': { + category: 'zoom', + description: + 'Extension type of the caller number, can be user, callQueue, autoReceptionist or shareLineGroup ', + name: 'zoom.phone.caller.extension_type', + type: 'keyword', + }, + 'zoom.phone.caller.extension_number': { + category: 'zoom', + description: 'Extension number of the caller ', + name: 'zoom.phone.caller.extension_number', + type: 'keyword', + }, + 'zoom.phone.caller.timezone': { + category: 'zoom', + description: 'Timezone of the caller ', + name: 'zoom.phone.caller.timezone', + type: 'keyword', + }, + 'zoom.phone.caller.device_type': { + category: 'zoom', + description: 'Device type used by the caller ', + name: 'zoom.phone.caller.device_type', + type: 'keyword', + }, + 'zoom.phone.callee.id': { + category: 'zoom', + description: 'UserID of the callee related to the voicemail/call ', + name: 'zoom.phone.callee.id', + type: 'keyword', + }, + 'zoom.phone.callee.user_id': { + category: 'zoom', + description: 'UserID of the related callee of a voicemail/call ', + name: 'zoom.phone.callee.user_id', + type: 'keyword', + }, + 'zoom.phone.callee.name': { + category: 'zoom', + description: 'The name of the related callee ', + name: 'zoom.phone.callee.name', + type: 'keyword', + }, + 'zoom.phone.callee.number_type': { + category: 'zoom', + description: 'The type of number, can be 1(Internal) or 2(External) ', + name: 'zoom.phone.callee.number_type', + type: 'keyword', + }, + 'zoom.phone.callee.phone_number': { + category: 'zoom', + description: 'Phone Number of the callee related to the call ', + name: 'zoom.phone.callee.phone_number', + type: 'keyword', + }, + 'zoom.phone.callee.extension_type': { + category: 'zoom', + description: + 'Extension type of the callee number, can be user, callQueue, autoReceptionist or shareLineGroup ', + name: 'zoom.phone.callee.extension_type', + type: 'keyword', + }, + 'zoom.phone.callee.extension_number': { + category: 'zoom', + description: 'Extension number of the callee related to the call ', + name: 'zoom.phone.callee.extension_number', + type: 'keyword', + }, + 'zoom.phone.callee.timezone': { + category: 'zoom', + description: 'Timezone of the callee related to the call ', + name: 'zoom.phone.callee.timezone', + type: 'keyword', + }, + 'zoom.phone.callee.device_type': { + category: 'zoom', + description: 'Device type used by the callee related to the call ', + name: 'zoom.phone.callee.device_type', + type: 'keyword', + }, + 'zoom.phone.date_time': { + category: 'zoom', + description: 'Date and time of the related phone event ', + name: 'zoom.phone.date_time', + type: 'date', + }, + 'zoom.recording.id': { + category: 'zoom', + description: 'Unique ID of the related recording ', + name: 'zoom.recording.id', + type: 'keyword', + }, + 'zoom.recording.uuid': { + category: 'zoom', + description: 'UUID of the related recording ', + name: 'zoom.recording.uuid', + type: 'keyword', + }, + 'zoom.recording.host_id': { + category: 'zoom', + description: 'UserID of the host of the meeting that was recorded ', + name: 'zoom.recording.host_id', + type: 'keyword', + }, + 'zoom.recording.topic': { + category: 'zoom', + description: 'Topic of the meeting related to the recording ', + name: 'zoom.recording.topic', + type: 'keyword', + }, + 'zoom.recording.type': { + category: 'zoom', + description: + 'Type of recording, can be multiple type of values, please check Zoom documentation ', + name: 'zoom.recording.type', + type: 'keyword', + }, + 'zoom.recording.start_time': { + category: 'zoom', + description: 'The date and time when the recording started ', + name: 'zoom.recording.start_time', + type: 'date', + }, + 'zoom.recording.timezone': { + category: 'zoom', + description: 'The timezone used for the recording date ', + name: 'zoom.recording.timezone', + type: 'keyword', + }, + 'zoom.recording.duration': { + category: 'zoom', + description: 'Duration of the recording in minutes ', + name: 'zoom.recording.duration', + type: 'long', + }, + 'zoom.recording.share_url': { + category: 'zoom', + description: 'The URL to access the recording ', + name: 'zoom.recording.share_url', + type: 'keyword', + }, + 'zoom.recording.total_size': { + category: 'zoom', + description: 'Total size of the recording in bytes ', + name: 'zoom.recording.total_size', + type: 'long', + }, + 'zoom.recording.recording_count': { + category: 'zoom', + description: 'Number of recording files related to the recording ', + name: 'zoom.recording.recording_count', + type: 'long', + }, + 'zoom.recording.recording_file.recording_start': { + category: 'zoom', + description: 'The date and time the recording started ', + name: 'zoom.recording.recording_file.recording_start', + type: 'date', + }, + 'zoom.recording.recording_file.recording_end': { + category: 'zoom', + description: 'The date and time the recording finished ', + name: 'zoom.recording.recording_file.recording_end', + type: 'date', + }, + 'zoom.recording.host_email': { + category: 'zoom', + description: 'Email address of the host related to the meeting that was recorded ', + name: 'zoom.recording.host_email', + type: 'keyword', + }, + 'zoom.user.id': { + category: 'zoom', + description: 'UserID related to the user event ', + name: 'zoom.user.id', + type: 'keyword', + }, + 'zoom.user.first_name': { + category: 'zoom', + description: 'User first name related to the user event ', + name: 'zoom.user.first_name', + type: 'keyword', + }, + 'zoom.user.last_name': { + category: 'zoom', + description: 'User last name related to the user event ', + name: 'zoom.user.last_name', + type: 'keyword', + }, + 'zoom.user.email': { + category: 'zoom', + description: 'User email related to the user event ', + name: 'zoom.user.email', + type: 'keyword', + }, + 'zoom.user.type': { + category: 'zoom', + description: 'User type related to the user event ', + name: 'zoom.user.type', + type: 'keyword', + }, + 'zoom.user.phone_number': { + category: 'zoom', + description: 'User phone number related to the user event ', + name: 'zoom.user.phone_number', + type: 'keyword', + }, + 'zoom.user.phone_country': { + category: 'zoom', + description: 'User country code related to the user event ', + name: 'zoom.user.phone_country', + type: 'keyword', + }, + 'zoom.user.company': { + category: 'zoom', + description: 'User company related to the user event ', + name: 'zoom.user.company', + type: 'keyword', + }, + 'zoom.user.pmi': { + category: 'zoom', + description: 'User personal meeting ID related to the user event ', + name: 'zoom.user.pmi', + type: 'keyword', + }, + 'zoom.user.use_pmi': { + category: 'zoom', + description: 'If a user has PMI enabled ', + name: 'zoom.user.use_pmi', + type: 'boolean', + }, + 'zoom.user.pic_url': { + category: 'zoom', + description: 'Full URL to the profile picture used by the user ', + name: 'zoom.user.pic_url', + type: 'keyword', + }, + 'zoom.user.vanity_name': { + category: 'zoom', + description: 'Name of the personal meeting room related to the user event ', + name: 'zoom.user.vanity_name', + type: 'keyword', + }, + 'zoom.user.timezone': { + category: 'zoom', + description: 'Timezone configured for the user ', + name: 'zoom.user.timezone', + type: 'keyword', + }, + 'zoom.user.language': { + category: 'zoom', + description: 'Language configured for the user ', + name: 'zoom.user.language', + type: 'keyword', + }, + 'zoom.user.host_key': { + category: 'zoom', + description: 'Host key set for the user ', + name: 'zoom.user.host_key', + type: 'keyword', + }, + 'zoom.user.role': { + category: 'zoom', + description: 'The configured role for the user ', + name: 'zoom.user.role', + type: 'keyword', + }, + 'zoom.user.dept': { + category: 'zoom', + description: 'The configured departement for the user ', + name: 'zoom.user.dept', + type: 'keyword', + }, + 'zoom.user.presence_status': { + category: 'zoom', + description: 'Current presence status of user ', + name: 'zoom.user.presence_status', + type: 'keyword', + }, + 'zoom.user.personal_notes': { + category: 'zoom', + description: 'Personal notes for the User ', + name: 'zoom.user.personal_notes', + type: 'keyword', + }, + 'zoom.user.client_type': { + category: 'zoom', + description: 'Type of client used by the user. Can be browser, mac, win, iphone or android ', + name: 'zoom.user.client_type', + type: 'keyword', + }, + 'zoom.user.version': { + category: 'zoom', + description: 'Version of the client used by the user ', + name: 'zoom.user.version', + type: 'keyword', + }, + 'zoom.webinar.id': { + category: 'zoom', + description: 'Unique ID for the related webinar ', + name: 'zoom.webinar.id', + type: 'keyword', + }, + 'zoom.webinar.join_url': { + category: 'zoom', + description: 'The URL configured to join the webinar ', + name: 'zoom.webinar.join_url', + type: 'keyword', + }, + 'zoom.webinar.uuid': { + category: 'zoom', + description: 'UUID for the related webinar ', + name: 'zoom.webinar.uuid', + type: 'keyword', + }, + 'zoom.webinar.host_id': { + category: 'zoom', + description: 'UserID for the configured host of the webinar ', + name: 'zoom.webinar.host_id', + type: 'keyword', + }, + 'zoom.webinar.topic': { + category: 'zoom', + description: 'Meeting topic of the related webinar ', + name: 'zoom.webinar.topic', + type: 'keyword', + }, + 'zoom.webinar.type': { + category: 'zoom', + description: + 'Type of webinar created. Can be either 5(Webinar), 6(Recurring webinar without fixed time) or 9(Recurring webinar with fixed time) ', + name: 'zoom.webinar.type', + type: 'keyword', + }, + 'zoom.webinar.start_time': { + category: 'zoom', + description: 'The date and time when the webinar started ', + name: 'zoom.webinar.start_time', + type: 'date', + }, + 'zoom.webinar.timezone': { + category: 'zoom', + description: 'Timezone used for the dates related to the webinar ', + name: 'zoom.webinar.timezone', + type: 'keyword', + }, + 'zoom.webinar.duration': { + category: 'zoom', + description: 'Duration of the webinar in minutes ', + name: 'zoom.webinar.duration', + type: 'long', + }, + 'zoom.webinar.agenda': { + category: 'zoom', + description: 'The configured agenda of the webinar ', + name: 'zoom.webinar.agenda', + type: 'keyword', + }, + 'zoom.webinar.password': { + category: 'zoom', + description: 'Password configured to access the webinar ', + name: 'zoom.webinar.password', + type: 'keyword', + }, + 'zoom.webinar.issues': { + category: 'zoom', + description: 'Any reported issues about a webinar is reported in this field ', + name: 'zoom.webinar.issues', + type: 'keyword', + }, + 'zoom.zoomroom.id': { + category: 'zoom', + description: 'Unique ID of the Zoom room ', + name: 'zoom.zoomroom.id', + type: 'keyword', + }, + 'zoom.zoomroom.room_name': { + category: 'zoom', + description: 'The configured name of the Zoom room ', + name: 'zoom.zoomroom.room_name', + type: 'keyword', + }, + 'zoom.zoomroom.calendar_name': { + category: 'zoom', + description: 'Calendar name of the Zoom room ', + name: 'zoom.zoomroom.calendar_name', + type: 'keyword', + }, + 'zoom.zoomroom.calendar_id': { + category: 'zoom', + description: 'Unique ID of the calendar used by the Zoom room ', + name: 'zoom.zoomroom.calendar_id', + type: 'keyword', + }, + 'zoom.zoomroom.event_id': { + category: 'zoom', + description: 'Unique ID of the calendar event associated with the Zoom Room ', + name: 'zoom.zoomroom.event_id', + type: 'keyword', + }, + 'zoom.zoomroom.change_key': { + category: 'zoom', + description: + 'Key used by Microsoft products integration that represents a specific version of a calendar ', + name: 'zoom.zoomroom.change_key', + type: 'keyword', + }, + 'zoom.zoomroom.resource_email': { + category: 'zoom', + description: 'Email address associated with the calendar in use by the Zoom room ', + name: 'zoom.zoomroom.resource_email', + type: 'keyword', + }, + 'zoom.zoomroom.email': { + category: 'zoom', + description: 'Email address associated with the Zoom room itself ', + name: 'zoom.zoomroom.email', + type: 'keyword', + }, + 'zoom.zoomroom.issue': { + category: 'zoom', + description: 'Any reported alerts or issues related to the Zoom room or its equipment ', + name: 'zoom.zoomroom.issue', + type: 'keyword', + }, + 'zoom.zoomroom.alert_type': { + category: 'zoom', + description: + 'An integer value representing the type of alert. The list of alert types can be found in the Zoom documentation ', + name: 'zoom.zoomroom.alert_type', + type: 'keyword', + }, + 'zoom.zoomroom.component': { + category: 'zoom', + description: + 'An integer value representing the type of equipment or component, The list of component types can be found in the Zoom documentation ', + name: 'zoom.zoomroom.component', + type: 'keyword', + }, + 'zoom.zoomroom.alert_kind': { + category: 'zoom', + description: + 'An integer value showing if the Zoom room alert has been either 1(Triggered) or 2(Cleared) ', + name: 'zoom.zoomroom.alert_kind', + type: 'keyword', + }, + 'zoom.registrant.id': { + category: 'zoom', + description: 'Unique ID of the user registering to a meeting or webinar ', + name: 'zoom.registrant.id', + type: 'keyword', + }, + 'zoom.registrant.status': { + category: 'zoom', + description: 'Status of the specific user registration ', + name: 'zoom.registrant.status', + type: 'keyword', + }, + 'zoom.registrant.email': { + category: 'zoom', + description: 'Email of the user registering to a meeting or webinar ', + name: 'zoom.registrant.email', + type: 'keyword', + }, + 'zoom.registrant.first_name': { + category: 'zoom', + description: 'First name of the user registering to a meeting or webinar ', + name: 'zoom.registrant.first_name', + type: 'keyword', + }, + 'zoom.registrant.last_name': { + category: 'zoom', + description: 'Last name of the user registering to a meeting or webinar ', + name: 'zoom.registrant.last_name', + type: 'keyword', + }, + 'zoom.registrant.address': { + category: 'zoom', + description: 'Address of the user registering to a meeting or webinar ', + name: 'zoom.registrant.address', + type: 'keyword', + }, + 'zoom.registrant.city': { + category: 'zoom', + description: 'City of the user registering to a meeting or webinar ', + name: 'zoom.registrant.city', + type: 'keyword', + }, + 'zoom.registrant.country': { + category: 'zoom', + description: 'Country of the user registering to a meeting or webinar ', + name: 'zoom.registrant.country', + type: 'keyword', + }, + 'zoom.registrant.zip': { + category: 'zoom', + description: 'Zip code of the user registering to a meeting or webinar ', + name: 'zoom.registrant.zip', + type: 'keyword', + }, + 'zoom.registrant.state': { + category: 'zoom', + description: 'State of the user registering to a meeting or webinar ', + name: 'zoom.registrant.state', + type: 'keyword', + }, + 'zoom.registrant.phone': { + category: 'zoom', + description: 'Phone number of the user registering to a meeting or webinar ', + name: 'zoom.registrant.phone', + type: 'keyword', + }, + 'zoom.registrant.industry': { + category: 'zoom', + description: 'Related industry of the user registering to a meeting or webinar ', + name: 'zoom.registrant.industry', + type: 'keyword', + }, + 'zoom.registrant.org': { + category: 'zoom', + description: 'Organization related to the user registering to a meeting or webinar ', + name: 'zoom.registrant.org', + type: 'keyword', + }, + 'zoom.registrant.job_title': { + category: 'zoom', + description: 'Job title of the user registering to a meeting or webinar ', + name: 'zoom.registrant.job_title', + type: 'keyword', + }, + 'zoom.registrant.purchasing_time_frame': { + category: 'zoom', + description: 'Choosen purchase timeframe of the user registering to a meeting or webinar ', + name: 'zoom.registrant.purchasing_time_frame', + type: 'keyword', + }, + 'zoom.registrant.role_in_purchase_process': { + category: 'zoom', + description: + 'Choosen role in a purchase process related to the user registering to a meeting or webinar ', + name: 'zoom.registrant.role_in_purchase_process', + type: 'keyword', + }, + 'zoom.registrant.no_of_employees': { + category: 'zoom', + description: 'Number of employees choosen by the user registering to a meeting or webinar ', + name: 'zoom.registrant.no_of_employees', + type: 'keyword', + }, + 'zoom.registrant.comments': { + category: 'zoom', + description: 'Comments left by the user registering to a meeting or webinar ', + name: 'zoom.registrant.comments', + type: 'keyword', + }, + 'zoom.registrant.join_url': { + category: 'zoom', + description: 'The URL that the registrant can use to join the webinar ', + name: 'zoom.registrant.join_url', + type: 'keyword', + }, + 'zoom.participant.id': { + category: 'zoom', + description: 'Unique ID of the participant related to a meeting ', + name: 'zoom.participant.id', + type: 'keyword', + }, + 'zoom.participant.user_id': { + category: 'zoom', + description: 'UserID of the participant related to a meeting ', + name: 'zoom.participant.user_id', + type: 'keyword', + }, + 'zoom.participant.user_name': { + category: 'zoom', + description: 'Username of the participant related to a meeting ', + name: 'zoom.participant.user_name', + type: 'keyword', + }, + 'zoom.participant.join_time': { + category: 'zoom', + description: 'The date and time a participant joined a meeting ', + name: 'zoom.participant.join_time', + type: 'date', + }, + 'zoom.participant.leave_time': { + category: 'zoom', + description: 'The date and time a participant left a meeting ', + name: 'zoom.participant.leave_time', + type: 'date', + }, + 'zoom.participant.sharing_details.link_source': { + category: 'zoom', + description: 'Method of sharing with dropbox integration ', + name: 'zoom.participant.sharing_details.link_source', + type: 'keyword', + }, + 'zoom.participant.sharing_details.content': { + category: 'zoom', + description: 'Type of content that was shared ', + name: 'zoom.participant.sharing_details.content', + type: 'keyword', + }, + 'zoom.participant.sharing_details.file_link': { + category: 'zoom', + description: 'The file link that was shared ', + name: 'zoom.participant.sharing_details.file_link', + type: 'keyword', + }, + 'zoom.participant.sharing_details.date_time': { + category: 'zoom', + description: 'Timestamp the sharing started ', + name: 'zoom.participant.sharing_details.date_time', + type: 'keyword', + }, + 'zoom.participant.sharing_details.source': { + category: 'zoom', + description: 'The file source that was share ', + name: 'zoom.participant.sharing_details.source', + type: 'keyword', + }, + 'zoom.old_values': { + category: 'zoom', + description: + 'Includes the old values when updating a object like user, meeting, account or webinar ', + name: 'zoom.old_values', + type: 'flattened', + }, + 'zoom.settings': { + category: 'zoom', + description: + 'The current active settings related to a object like user, meeting, account or webinar ', + name: 'zoom.settings', + type: 'flattened', + }, + 'aws-cloudwatch.log_group': { + category: 'aws-cloudwatch', description: 'The name of the log group to which this event belongs.', - name: 'awscloudwatch.log_group', + name: 'aws-cloudwatch.log_group', type: 'keyword', }, - 'awscloudwatch.log_stream': { - category: 'awscloudwatch', + 'aws-cloudwatch.log_stream': { + category: 'aws-cloudwatch', description: 'The name of the log stream to which this event belongs.', - name: 'awscloudwatch.log_stream', + name: 'aws-cloudwatch.log_stream', type: 'keyword', }, - 'awscloudwatch.ingestion_time': { - category: 'awscloudwatch', + 'aws-cloudwatch.ingestion_time': { + category: 'aws-cloudwatch', description: 'The time the event was ingested in AWS CloudWatch.', - name: 'awscloudwatch.ingestion_time', + name: 'aws-cloudwatch.ingestion_time', + type: 'keyword', + }, + bucket_name: { + category: 'base', + description: 'Name of the S3 bucket that this log retrieved from. ', + name: 'bucket_name', + type: 'keyword', + }, + object_key: { + category: 'base', + description: 'Name of the S3 object that this log retrieved from. ', + name: 'object_key', type: 'keyword', }, 'netflow.type': { @@ -30934,18 +37091,6 @@ export const fieldsBeat: BeatFields = { name: 'netflow.vpn_identifier', type: 'short', }, - bucket_name: { - category: 'base', - description: 'Name of the S3 bucket that this log retrieved from. ', - name: 'bucket_name', - type: 'keyword', - }, - object_key: { - category: 'base', - description: 'Name of the S3 object that this log retrieved from. ', - name: 'object_key', - type: 'keyword', - }, 'cef.version': { category: 'cef', description: 'Version of the CEF specification used by the message. ', @@ -33954,377 +40099,451 @@ export const fieldsBeat: BeatFields = { 'If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. ', name: 'redis.error', }, - 'thrift.params': { - category: 'thrift', - description: - 'The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. ', - name: 'thrift.params', + 'sip.code': { + category: 'sip', + description: 'Response status code.', + name: 'sip.code', + type: 'keyword', }, - 'thrift.service': { - category: 'thrift', - description: 'The name of the Thrift-RPC service as defined in the IDL files. ', - name: 'thrift.service', + 'sip.method': { + category: 'sip', + description: 'Request method.', + name: 'sip.method', + type: 'keyword', }, - 'thrift.return_value': { - category: 'thrift', - description: - 'The value returned by the Thrift-RPC call. This is encoded in a human readable format. ', - name: 'thrift.return_value', + 'sip.status': { + category: 'sip', + description: 'Response status phrase.', + name: 'sip.status', + type: 'keyword', }, - 'thrift.exceptions': { - category: 'thrift', - description: - 'If the call resulted in exceptions, this field contains the exceptions in a human readable format. ', - name: 'thrift.exceptions', + 'sip.type': { + category: 'sip', + description: 'Either request or response.', + name: 'sip.type', + type: 'keyword', }, - 'tls.client.x509.version': { - category: 'tls', - description: 'Version of x509 format.', - example: 3, - name: 'tls.client.x509.version', + 'sip.version': { + category: 'sip', + description: 'SIP protocol version.', + name: 'sip.version', type: 'keyword', }, - 'tls.client.x509.version_number': { - category: 'tls', - description: 'Version of x509 format.', - example: 3, - name: 'tls.client.x509.version_number', + 'sip.uri.original': { + category: 'sip', + description: 'The original URI.', + name: 'sip.uri.original', type: 'keyword', }, - 'tls.client.x509.serial_number': { - category: 'tls', - description: - 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. ', - example: '55FBB9C7DEBF09809D12CCAA', - name: 'tls.client.x509.serial_number', + 'sip.uri.scheme': { + category: 'sip', + description: 'The URI scheme.', + name: 'sip.uri.scheme', type: 'keyword', }, - 'tls.client.x509.issuer.distinguished_name': { - category: 'tls', - description: 'Distinguished name (DN) of issuing certificate authority.', - example: 'C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA', - name: 'tls.client.x509.issuer.distinguished_name', + 'sip.uri.username': { + category: 'sip', + description: 'The URI user name.', + name: 'sip.uri.username', type: 'keyword', }, - 'tls.client.x509.issuer.common_name': { - category: 'tls', - description: 'List of common name (CN) of issuing certificate authority.', - example: 'DigiCert SHA2 High Assurance Server CA', - name: 'tls.client.x509.issuer.common_name', + 'sip.uri.host': { + category: 'sip', + description: 'The URI host.', + name: 'sip.uri.host', type: 'keyword', }, - 'tls.client.x509.issuer.organizational_unit': { - category: 'tls', - description: 'List of organizational units (OU) of issuing certificate authority.', - example: 'www.digicert.com', - name: 'tls.client.x509.issuer.organizational_unit', + 'sip.uri.port': { + category: 'sip', + description: 'The URI port.', + name: 'sip.uri.port', type: 'keyword', }, - 'tls.client.x509.issuer.organization': { - category: 'tls', - description: 'List of organizations (O) of issuing certificate authority.', - example: 'DigiCert Inc', - name: 'tls.client.x509.issuer.organization', + 'sip.accept': { + category: 'sip', + description: 'Accept header value.', + name: 'sip.accept', type: 'keyword', }, - 'tls.client.x509.issuer.locality': { - category: 'tls', - description: 'List of locality names (L)', - example: 'Mountain View', - name: 'tls.client.x509.issuer.locality', + 'sip.allow': { + category: 'sip', + description: 'Allowed methods.', + name: 'sip.allow', type: 'keyword', }, - 'tls.client.x509.issuer.province': { - category: 'tls', - description: 'Province or region within country.', - name: 'tls.client.x509.issuer.province', + 'sip.call_id': { + category: 'sip', + description: 'Call ID.', + name: 'sip.call_id', type: 'keyword', }, - 'tls.client.x509.issuer.state_or_province': { - category: 'tls', - description: 'List of state or province names (ST, S, or P)', - example: 'California', - name: 'tls.client.x509.issuer.state_or_province', + 'sip.content_length': { + category: 'sip', + name: 'sip.content_length', + type: 'long', + }, + 'sip.content_type': { + category: 'sip', + name: 'sip.content_type', type: 'keyword', }, - 'tls.client.x509.issuer.country': { - category: 'tls', - description: 'List of country (C) codes', - example: 'US', - name: 'tls.client.x509.issuer.country', + 'sip.max_forwards': { + category: 'sip', + name: 'sip.max_forwards', + type: 'long', + }, + 'sip.supported': { + category: 'sip', + description: 'Supported methods.', + name: 'sip.supported', type: 'keyword', }, - 'tls.client.x509.signature_algorithm': { - category: 'tls', - description: - 'Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).', - example: 'SHA256-RSA', - name: 'tls.client.x509.signature_algorithm', + 'sip.user_agent.original': { + category: 'sip', + name: 'sip.user_agent.original', type: 'keyword', }, - 'tls.client.x509.not_before': { - category: 'tls', - description: 'Time at which the certificate is first considered valid.', - example: '"2019-08-16T01:40:25.000Z"', - name: 'tls.client.x509.not_before', - type: 'date', + 'sip.private.uri.original': { + category: 'sip', + description: 'Private original URI.', + name: 'sip.private.uri.original', + type: 'keyword', }, - 'tls.client.x509.not_after': { - category: 'tls', - description: 'Time at which the certificate is no longer considered valid.', - example: '"2020-07-16T03:15:39.000Z"', - name: 'tls.client.x509.not_after', - type: 'date', + 'sip.private.uri.scheme': { + category: 'sip', + description: 'Private URI scheme.', + name: 'sip.private.uri.scheme', + type: 'keyword', }, - 'tls.client.x509.subject.distinguished_name': { - category: 'tls', - description: 'Distinguished name (DN) of the certificate subject entity.', - example: 'C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net', - name: 'tls.client.x509.subject.distinguished_name', + 'sip.private.uri.username': { + category: 'sip', + description: 'Private URI user name.', + name: 'sip.private.uri.username', type: 'keyword', }, - 'tls.client.x509.subject.common_name': { - category: 'tls', - description: 'List of common names (CN) of subject.', - example: 'r2.shared.global.fastly.net', - name: 'tls.client.x509.subject.common_name', + 'sip.private.uri.host': { + category: 'sip', + description: 'Private URI host.', + name: 'sip.private.uri.host', type: 'keyword', }, - 'tls.client.x509.subject.organizational_unit': { - category: 'tls', - description: 'List of organizational units (OU) of subject.', - name: 'tls.client.x509.subject.organizational_unit', + 'sip.private.uri.port': { + category: 'sip', + description: 'Private URI port.', + name: 'sip.private.uri.port', type: 'keyword', }, - 'tls.client.x509.subject.organization': { - category: 'tls', - description: 'List of organizations (O) of subject.', - example: 'Fastly, Inc.', - name: 'tls.client.x509.subject.organization', + 'sip.cseq.code': { + category: 'sip', + description: 'Sequence code.', + name: 'sip.cseq.code', type: 'keyword', }, - 'tls.client.x509.subject.locality': { - category: 'tls', - description: 'List of locality names (L)', - example: 'San Francisco', - name: 'tls.client.x509.subject.locality', + 'sip.cseq.method': { + category: 'sip', + description: 'Sequence method.', + name: 'sip.cseq.method', type: 'keyword', }, - 'tls.client.x509.subject.province': { - category: 'tls', - description: 'Province or region within country.', - name: 'tls.client.x509.subject.province', + 'sip.via.original': { + category: 'sip', + description: 'The original Via value.', + name: 'sip.via.original', type: 'keyword', }, - 'tls.client.x509.subject.state_or_province': { - category: 'tls', - description: 'List of state or province names (ST, S, or P)', - example: 'California', - name: 'tls.client.x509.subject.state_or_province', + 'sip.to.display_info': { + category: 'sip', + description: 'To display info', + name: 'sip.to.display_info', type: 'keyword', }, - 'tls.client.x509.subject.country': { - category: 'tls', - description: 'List of country (C) code', - example: 'US', - name: 'tls.client.x509.subject.country', + 'sip.to.uri.original': { + category: 'sip', + description: 'To original URI', + name: 'sip.to.uri.original', type: 'keyword', }, - 'tls.client.x509.public_key_algorithm': { - category: 'tls', - description: 'Algorithm used to generate the public key.', - example: 'RSA', - name: 'tls.client.x509.public_key_algorithm', + 'sip.to.uri.scheme': { + category: 'sip', + description: 'To URI scheme', + name: 'sip.to.uri.scheme', type: 'keyword', }, - 'tls.client.x509.public_key_size': { - category: 'tls', - description: 'The size of the public key space in bits.', - example: 2048, - name: 'tls.client.x509.public_key_size', - type: 'long', + 'sip.to.uri.username': { + category: 'sip', + description: 'To URI user name', + name: 'sip.to.uri.username', + type: 'keyword', }, - 'tls.client.x509.alternative_names': { - category: 'tls', - description: - 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', - example: '*.elastic.co', - name: 'tls.client.x509.alternative_names', + 'sip.to.uri.host': { + category: 'sip', + description: 'To URI host', + name: 'sip.to.uri.host', type: 'keyword', }, - 'tls.server.x509.version': { - category: 'tls', - description: 'Version of x509 format.', - example: 3, - name: 'tls.server.x509.version', + 'sip.to.uri.port': { + category: 'sip', + description: 'To URI port', + name: 'sip.to.uri.port', type: 'keyword', }, - 'tls.server.x509.version_number': { - category: 'tls', - description: 'Version of x509 format.', - example: 3, - name: 'tls.server.x509.version_number', + 'sip.to.tag': { + category: 'sip', + description: 'To tag', + name: 'sip.to.tag', type: 'keyword', }, - 'tls.server.x509.serial_number': { - category: 'tls', - description: - 'Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. ', - example: '55FBB9C7DEBF09809D12CCAA', - name: 'tls.server.x509.serial_number', + 'sip.from.display_info': { + category: 'sip', + description: 'From display info', + name: 'sip.from.display_info', type: 'keyword', }, - 'tls.server.x509.issuer.distinguished_name': { - category: 'tls', - description: 'Distinguished name (DN) of issuing certificate authority.', - example: 'C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA', - name: 'tls.server.x509.issuer.distinguished_name', + 'sip.from.uri.original': { + category: 'sip', + description: 'From original URI', + name: 'sip.from.uri.original', type: 'keyword', }, - 'tls.server.x509.issuer.common_name': { - category: 'tls', - description: 'List of common name (CN) of issuing certificate authority.', - example: 'DigiCert SHA2 High Assurance Server CA', - name: 'tls.server.x509.issuer.common_name', + 'sip.from.uri.scheme': { + category: 'sip', + description: 'From URI scheme', + name: 'sip.from.uri.scheme', type: 'keyword', }, - 'tls.server.x509.issuer.organizational_unit': { - category: 'tls', - description: 'List of organizational units (OU) of issuing certificate authority.', - example: 'www.digicert.com', - name: 'tls.server.x509.issuer.organizational_unit', + 'sip.from.uri.username': { + category: 'sip', + description: 'From URI user name', + name: 'sip.from.uri.username', type: 'keyword', }, - 'tls.server.x509.issuer.organization': { - category: 'tls', - description: 'List of organizations (O) of issuing certificate authority.', - example: 'DigiCert Inc', - name: 'tls.server.x509.issuer.organization', + 'sip.from.uri.host': { + category: 'sip', + description: 'From URI host', + name: 'sip.from.uri.host', type: 'keyword', }, - 'tls.server.x509.issuer.locality': { - category: 'tls', - description: 'List of locality names (L)', - example: 'Mountain View', - name: 'tls.server.x509.issuer.locality', + 'sip.from.uri.port': { + category: 'sip', + description: 'From URI port', + name: 'sip.from.uri.port', type: 'keyword', }, - 'tls.server.x509.issuer.province': { - category: 'tls', - description: 'Province or region within country.', - name: 'tls.server.x509.issuer.province', + 'sip.from.tag': { + category: 'sip', + description: 'From tag', + name: 'sip.from.tag', type: 'keyword', }, - 'tls.server.x509.issuer.state_or_province': { - category: 'tls', - description: 'List of state or province names (ST, S, or P)', - example: 'California', - name: 'tls.server.x509.issuer.state_or_province', + 'sip.contact.display_info': { + category: 'sip', + description: 'Contact display info', + name: 'sip.contact.display_info', type: 'keyword', }, - 'tls.server.x509.issuer.country': { - category: 'tls', - description: 'List of country (C) codes', - example: 'US', - name: 'tls.server.x509.issuer.country', + 'sip.contact.uri.original': { + category: 'sip', + description: 'Contact original URI', + name: 'sip.contact.uri.original', type: 'keyword', }, - 'tls.server.x509.signature_algorithm': { - category: 'tls', - description: - 'Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353).', - example: 'SHA256-RSA', - name: 'tls.server.x509.signature_algorithm', + 'sip.contact.uri.scheme': { + category: 'sip', + description: 'Contat URI scheme', + name: 'sip.contact.uri.scheme', type: 'keyword', }, - 'tls.server.x509.not_before': { - category: 'tls', - description: 'Time at which the certificate is first considered valid.', - example: '"2019-08-16T01:40:25.000Z"', - name: 'tls.server.x509.not_before', - type: 'date', + 'sip.contact.uri.username': { + category: 'sip', + description: 'Contact URI user name', + name: 'sip.contact.uri.username', + type: 'keyword', }, - 'tls.server.x509.not_after': { - category: 'tls', - description: 'Time at which the certificate is no longer considered valid.', - example: '"2020-07-16T03:15:39.000Z"', - name: 'tls.server.x509.not_after', - type: 'date', + 'sip.contact.uri.host': { + category: 'sip', + description: 'Contact URI host', + name: 'sip.contact.uri.host', + type: 'keyword', }, - 'tls.server.x509.subject.distinguished_name': { - category: 'tls', - description: 'Distinguished name (DN) of the certificate subject entity.', - example: 'C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net', - name: 'tls.server.x509.subject.distinguished_name', + 'sip.contact.uri.port': { + category: 'sip', + description: 'Contact URI port', + name: 'sip.contact.uri.port', type: 'keyword', }, - 'tls.server.x509.subject.common_name': { - category: 'tls', - description: 'List of common names (CN) of subject.', - example: 'r2.shared.global.fastly.net', - name: 'tls.server.x509.subject.common_name', + 'sip.contact.transport': { + category: 'sip', + description: 'Contact transport', + name: 'sip.contact.transport', type: 'keyword', }, - 'tls.server.x509.subject.organizational_unit': { - category: 'tls', - description: 'List of organizational units (OU) of subject.', - name: 'tls.server.x509.subject.organizational_unit', + 'sip.contact.line': { + category: 'sip', + description: 'Contact line', + name: 'sip.contact.line', type: 'keyword', }, - 'tls.server.x509.subject.organization': { - category: 'tls', - description: 'List of organizations (O) of subject.', - example: 'Fastly, Inc.', - name: 'tls.server.x509.subject.organization', + 'sip.contact.expires': { + category: 'sip', + description: 'Contact expires', + name: 'sip.contact.expires', type: 'keyword', }, - 'tls.server.x509.subject.locality': { - category: 'tls', - description: 'List of locality names (L)', - example: 'San Francisco', - name: 'tls.server.x509.subject.locality', + 'sip.contact.q': { + category: 'sip', + description: 'Contact Q', + name: 'sip.contact.q', type: 'keyword', }, - 'tls.server.x509.subject.province': { + 'sip.auth.scheme': { + category: 'sip', + description: 'Auth scheme', + name: 'sip.auth.scheme', + type: 'keyword', + }, + 'sip.auth.realm': { + category: 'sip', + description: 'Auth realm', + name: 'sip.auth.realm', + type: 'keyword', + }, + 'sip.auth.uri.original': { + category: 'sip', + description: 'Auth original URI', + name: 'sip.auth.uri.original', + type: 'keyword', + }, + 'sip.auth.uri.scheme': { + category: 'sip', + description: 'Auth URI scheme', + name: 'sip.auth.uri.scheme', + type: 'keyword', + }, + 'sip.auth.uri.host': { + category: 'sip', + description: 'Auth URI host', + name: 'sip.auth.uri.host', + type: 'keyword', + }, + 'sip.auth.uri.port': { + category: 'sip', + description: 'Auth URI port', + name: 'sip.auth.uri.port', + type: 'keyword', + }, + 'sip.sdp.version': { + category: 'sip', + description: 'SDP version', + name: 'sip.sdp.version', + type: 'keyword', + }, + 'sip.sdp.owner.username': { + category: 'sip', + description: 'SDP owner user name', + name: 'sip.sdp.owner.username', + type: 'keyword', + }, + 'sip.sdp.owner.session_id': { + category: 'sip', + description: 'SDP owner session ID', + name: 'sip.sdp.owner.session_id', + type: 'keyword', + }, + 'sip.sdp.owner.version': { + category: 'sip', + description: 'SDP owner version', + name: 'sip.sdp.owner.version', + type: 'keyword', + }, + 'sip.sdp.owner.ip': { + category: 'sip', + description: 'SDP owner IP', + name: 'sip.sdp.owner.ip', + type: 'ip', + }, + 'sip.sdp.session.name': { + category: 'sip', + description: 'SDP session name', + name: 'sip.sdp.session.name', + type: 'keyword', + }, + 'sip.sdp.connection.info': { + category: 'sip', + description: 'SDP connection info', + name: 'sip.sdp.connection.info', + type: 'keyword', + }, + 'sip.sdp.connection.address': { + category: 'sip', + description: 'SDP connection address', + name: 'sip.sdp.connection.address', + type: 'keyword', + }, + 'sip.sdp.body.original': { + category: 'sip', + description: 'SDP original body', + name: 'sip.sdp.body.original', + type: 'keyword', + }, + 'thrift.params': { + category: 'thrift', + description: + 'The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. ', + name: 'thrift.params', + }, + 'thrift.service': { + category: 'thrift', + description: 'The name of the Thrift-RPC service as defined in the IDL files. ', + name: 'thrift.service', + }, + 'thrift.return_value': { + category: 'thrift', + description: + 'The value returned by the Thrift-RPC call. This is encoded in a human readable format. ', + name: 'thrift.return_value', + }, + 'thrift.exceptions': { + category: 'thrift', + description: + 'If the call resulted in exceptions, this field contains the exceptions in a human readable format. ', + name: 'thrift.exceptions', + }, + 'tls.client.x509.version': { category: 'tls', - description: 'Province or region within country.', - name: 'tls.server.x509.subject.province', + description: 'Version of x509 format.', + example: 3, + name: 'tls.client.x509.version', type: 'keyword', }, - 'tls.server.x509.subject.state_or_province': { + 'tls.client.x509.issuer.province': { category: 'tls', - description: 'List of state or province names (ST, S, or P)', - example: 'California', - name: 'tls.server.x509.subject.state_or_province', + description: 'Province or region within country.', + name: 'tls.client.x509.issuer.province', type: 'keyword', }, - 'tls.server.x509.subject.country': { + 'tls.client.x509.subject.province': { category: 'tls', - description: 'List of country (C) code', - example: 'US', - name: 'tls.server.x509.subject.country', + description: 'Province or region within country.', + name: 'tls.client.x509.subject.province', type: 'keyword', }, - 'tls.server.x509.public_key_algorithm': { + 'tls.server.x509.version': { category: 'tls', - description: 'Algorithm used to generate the public key.', - example: 'RSA', - name: 'tls.server.x509.public_key_algorithm', + description: 'Version of x509 format.', + example: 3, + name: 'tls.server.x509.version', type: 'keyword', }, - 'tls.server.x509.public_key_size': { + 'tls.server.x509.issuer.province': { category: 'tls', - description: 'The size of the public key space in bits.', - example: 2048, - name: 'tls.server.x509.public_key_size', - type: 'long', + description: 'Province or region within country.', + name: 'tls.server.x509.issuer.province', + type: 'keyword', }, - 'tls.server.x509.alternative_names': { + 'tls.server.x509.subject.province': { category: 'tls', - description: - 'List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.', - example: '*.elastic.co', - name: 'tls.server.x509.alternative_names', + description: 'Province or region within country.', + name: 'tls.server.x509.subject.province', type: 'keyword', }, 'tls.detailed.version': { @@ -35117,7 +41336,7 @@ export const fieldsBeat: BeatFields = { 'winlog.api': { category: 'winlog', description: - 'The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. ', + 'The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "wineventlog-experimental" for its experimental implementation. ', name: 'winlog.api', }, 'winlog.activity_id': { From b89af7f5117d95cd7bf2f881e4496da4b49cfa2c Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Fri, 23 Apr 2021 16:10:43 -0500 Subject: [PATCH 4/5] Update BEATS_VERSION to reflect what's been captured thus far I simply neglected to commit this change previously --- x-pack/plugins/security_solution/scripts/beat_docs/build.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/scripts/beat_docs/build.js b/x-pack/plugins/security_solution/scripts/beat_docs/build.js index 4a2bc9b21c66c..b8bcedda9356a 100644 --- a/x-pack/plugins/security_solution/scripts/beat_docs/build.js +++ b/x-pack/plugins/security_solution/scripts/beat_docs/build.js @@ -26,7 +26,7 @@ const zlib = require('zlib'); const OUTPUT_DIRECTORY = resolve('scripts', 'beat_docs'); const OUTPUT_SERVER_DIRECTORY = resolve('server', 'utils', 'beat_schema'); -const BEATS_VERSION = '7.9.0'; +const BEATS_VERSION = '7.12.0'; const beats = [ { From 3da3486051000afd8fac7eec14081f64267c75ee Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Tue, 4 May 2021 13:21:45 -0500 Subject: [PATCH 5/5] Update unit test implicitly testing field descriptions The fields under test here had a minor grammatical change. --- .../server/search_strategy/index_fields/index.test.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/x-pack/plugins/security_solution/server/search_strategy/index_fields/index.test.ts b/x-pack/plugins/security_solution/server/search_strategy/index_fields/index.test.ts index f6d78f2f1259f..51892a1a05d55 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/index_fields/index.test.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/index_fields/index.test.ts @@ -126,7 +126,7 @@ describe('Index Fields', () => { }, { description: - 'Type of the agent. The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.', + 'Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.', example: 'filebeat', name: 'agent.type', type: 'string', @@ -252,7 +252,7 @@ describe('Index Fields', () => { { category: 'agent', description: - 'Type of the agent. The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.', + 'Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.', example: 'filebeat', name: 'agent.type', type: 'string', @@ -426,7 +426,7 @@ describe('Index Fields', () => { { category: 'agent', description: - 'Type of the agent. The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.', + 'Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.', example: 'filebeat', name: 'agent.type', type: 'string',