10938 lines
367 KiB
YAML
10938 lines
367 KiB
YAML
# WARNING! Do not edit this file directly, it was generated by the ECS project,
|
||
# based on ECS version 1.12.0.
|
||
# Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
|
||
|
||
- key: ecs
|
||
title: ECS
|
||
description: ECS Fields.
|
||
fields:
|
||
- name: '@timestamp'
|
||
level: core
|
||
required: true
|
||
type: date
|
||
description: 'Date/time when the event originated.
|
||
|
||
This is the date/time extracted from the event, typically representing when
|
||
the event was generated by the source.
|
||
|
||
If the event source has no original timestamp, this value is typically populated
|
||
by the first time the event was received by the pipeline.
|
||
|
||
Required field for all events.'
|
||
example: '2016-05-23T08:05:34.853Z'
|
||
- name: labels
|
||
level: core
|
||
type: object
|
||
object_type: keyword
|
||
description: 'Custom key/value pairs.
|
||
|
||
Can be used to add meta information to events. Should not contain nested objects.
|
||
All values are stored as keyword.
|
||
|
||
Example: `docker` and `k8s` labels.'
|
||
example: '{"application": "foo-bar", "env": "production"}'
|
||
- name: message
|
||
level: core
|
||
type: match_only_text
|
||
description: 'For log events the message field contains the log message, optimized
|
||
for viewing in a log viewer.
|
||
|
||
For structured logs without an original message field, other fields can be concatenated
|
||
to form a human-readable summary of the event.
|
||
|
||
If multiple messages exist, they can be combined into one message.'
|
||
example: Hello World
|
||
- name: tags
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of keywords used to tag each event.
|
||
example: '["production", "env2"]'
|
||
- name: agent
|
||
title: Agent
|
||
group: 2
|
||
description: 'The agent fields contain the data about the software entity, if
|
||
any, that collects, detects, or observes events on a host, or takes measurements
|
||
on a host.
|
||
|
||
Examples include Beats. Agents may also run on observers. ECS agent.* fields
|
||
shall be populated with details of the agent running on the host or observer
|
||
where the event happened or the measurement was taken.'
|
||
footnote: 'Examples: In the case of Beats for logs, the agent.name is filebeat.
|
||
For APM, it is the agent running in the app/service. The agent information does
|
||
not change if data is sent through queuing systems like Kafka, Redis, or processing
|
||
systems such as Logstash or APM Server.'
|
||
type: group
|
||
fields:
|
||
- name: build.original
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Extended build information for the agent.
|
||
|
||
This field is intended to contain any build information that a data source
|
||
may provide, no specific formatting is required.'
|
||
example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c
|
||
built 2020-02-05 23:10:10 +0000 UTC]
|
||
default_field: false
|
||
- name: ephemeral_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Ephemeral identifier of this agent (if one exists).
|
||
|
||
This id normally changes across restarts, but `agent.id` does not.'
|
||
example: 8a4f500f
|
||
- name: id
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Unique identifier of this agent (if one exists).
|
||
|
||
Example: For Beats this would be beat.id.'
|
||
example: 8a4f500d
|
||
- name: name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Custom name of the agent.
|
||
|
||
This is a name that can be given to an agent. This can be helpful if for example
|
||
two Filebeat instances are running on the same host but a human readable separation
|
||
is needed on which Filebeat instance data is coming from.
|
||
|
||
If no name is given, the name is often left empty.'
|
||
example: foo
|
||
- name: type
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Type of the agent.
|
||
|
||
The agent type always stays the same and should be given by the agent used.
|
||
In case of Filebeat the agent would always be Filebeat also if two Filebeat
|
||
instances are run on the same machine.'
|
||
example: filebeat
|
||
- name: version
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of the agent.
|
||
example: 6.0.0-rc2
|
||
- name: as
|
||
title: Autonomous System
|
||
group: 2
|
||
description: An autonomous system (AS) is a collection of connected Internet Protocol
|
||
(IP) routing prefixes under the control of one or more network operators on
|
||
behalf of a single administrative entity or domain that presents a common, clearly
|
||
defined routing policy to the internet.
|
||
type: group
|
||
fields:
|
||
- name: number
|
||
level: extended
|
||
type: long
|
||
description: Unique number allocated to the autonomous system. The autonomous
|
||
system number (ASN) uniquely identifies each network on the Internet.
|
||
example: 15169
|
||
- name: organization.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Organization name.
|
||
example: Google LLC
|
||
- name: client
|
||
title: Client
|
||
group: 2
|
||
description: 'A client is defined as the initiator of a network connection for
|
||
events regarding sessions, connections, or bidirectional flow records.
|
||
|
||
For TCP events, the client is the initiator of the TCP connection that sends
|
||
the SYN packet(s). For other protocols, the client is generally the initiator
|
||
or requestor in the network transaction. Some systems use the term "originator"
|
||
to refer the client in TCP connections. The client fields describe details about
|
||
the system acting as the client in the network event. Client fields are usually
|
||
populated in conjunction with server fields. Client fields are generally not
|
||
populated for packet-level events.
|
||
|
||
Client / server representations can add semantic context to an exchange, which
|
||
is helpful to visualize the data in certain situations. If your context falls
|
||
in that category, you should still ensure that source and destination are filled
|
||
appropriately.'
|
||
type: group
|
||
fields:
|
||
- name: address
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Some event client addresses are defined ambiguously. The event
|
||
will sometimes list an IP, a domain or a unix socket. You should always store
|
||
the raw address in the `.address` field.
|
||
|
||
Then it should be duplicated to `.ip` or `.domain`, depending on which one
|
||
it is.'
|
||
- name: as.number
|
||
level: extended
|
||
type: long
|
||
description: Unique number allocated to the autonomous system. The autonomous
|
||
system number (ASN) uniquely identifies each network on the Internet.
|
||
example: 15169
|
||
- name: as.organization.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Organization name.
|
||
example: Google LLC
|
||
- name: bytes
|
||
level: core
|
||
type: long
|
||
format: bytes
|
||
description: Bytes sent from the client to the server.
|
||
example: 184
|
||
- name: domain
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Client domain.
|
||
- name: geo.city_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: City name.
|
||
example: Montreal
|
||
- name: geo.continent_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Two-letter code representing continent's name.
|
||
example: NA
|
||
default_field: false
|
||
- name: geo.continent_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the continent.
|
||
example: North America
|
||
- name: geo.country_iso_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Country ISO code.
|
||
example: CA
|
||
- name: geo.country_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Country name.
|
||
example: Canada
|
||
- name: geo.location
|
||
level: core
|
||
type: geo_point
|
||
description: Longitude and latitude.
|
||
example: '{ "lon": -73.614830, "lat": 45.505918 }'
|
||
- name: geo.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'User-defined description of a location, at the level of granularity
|
||
they care about.
|
||
|
||
Could be the name of their data centers, the floor number, if this describes
|
||
a local physical entity, city names.
|
||
|
||
Not typically used in automated geolocation.'
|
||
example: boston-dc
|
||
- name: geo.postal_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Postal code associated with the location.
|
||
|
||
Values appropriate for this field may also be known as a postcode or ZIP code
|
||
and will vary widely from country to country.'
|
||
example: 94040
|
||
default_field: false
|
||
- name: geo.region_iso_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Region ISO code.
|
||
example: CA-QC
|
||
- name: geo.region_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Region name.
|
||
example: Quebec
|
||
- name: geo.timezone
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The time zone of the location, such as IANA time zone name.
|
||
example: America/Argentina/Buenos_Aires
|
||
default_field: false
|
||
- name: ip
|
||
level: core
|
||
type: ip
|
||
description: IP address of the client (IPv4 or IPv6).
|
||
- name: mac
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'MAC address of the client.
|
||
|
||
The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
|
||
byte) is represented by two [uppercase] hexadecimal digits giving the value
|
||
of the octet as an unsigned integer. Successive octets are separated by a
|
||
hyphen.'
|
||
example: 00-00-5E-00-53-23
|
||
- name: nat.ip
|
||
level: extended
|
||
type: ip
|
||
description: 'Translated IP of source based NAT sessions (e.g. internal client
|
||
to internet).
|
||
|
||
Typically connections traversing load balancers, firewalls, or routers.'
|
||
- name: nat.port
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: 'Translated port of source based NAT sessions (e.g. internal client
|
||
to internet).
|
||
|
||
Typically connections traversing load balancers, firewalls, or routers.'
|
||
- name: packets
|
||
level: core
|
||
type: long
|
||
description: Packets sent from the client to the server.
|
||
example: 12
|
||
- name: port
|
||
level: core
|
||
type: long
|
||
format: string
|
||
description: Port of the client.
|
||
- name: registered_domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The highest registered client domain, stripped of the subdomain.
|
||
|
||
For example, the registered domain for "foo.example.com" is "example.com".
|
||
|
||
This value can be determined precisely with a list like the public suffix
|
||
list (http://publicsuffix.org). Trying to approximate this by simply taking
|
||
the last two labels will not work well for TLDs such as "co.uk".'
|
||
example: example.com
|
||
- name: subdomain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The subdomain portion of a fully qualified domain name includes
|
||
all of the names except the host name under the registered_domain. In a partially
|
||
qualified domain, or if the the qualification level of the full name cannot
|
||
be determined, subdomain contains all of the names below the registered domain.
|
||
|
||
For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
|
||
If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
|
||
the subdomain field should contain "sub2.sub1", with no trailing period.'
|
||
example: east
|
||
default_field: false
|
||
- name: top_level_domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The effective top level domain (eTLD), also known as the domain
|
||
suffix, is the last part of the domain name. For example, the top level domain
|
||
for example.com is "com".
|
||
|
||
This value can be determined precisely with a list like the public suffix
|
||
list (http://publicsuffix.org). Trying to approximate this by simply taking
|
||
the last label will not work well for effective TLDs such as "co.uk".'
|
||
example: co.uk
|
||
- name: user.domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the directory the user is a member of.
|
||
|
||
For example, an LDAP or Active Directory domain name.'
|
||
- name: user.email
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: User email address.
|
||
- name: user.full_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: User's full name, if available.
|
||
example: Albert Einstein
|
||
- name: user.group.domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the directory the group is a member of.
|
||
|
||
For example, an LDAP or Active Directory domain name.'
|
||
- name: user.group.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier for the group on the system/platform.
|
||
- name: user.group.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the group.
|
||
- name: user.hash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Unique user hash to correlate information for a user in anonymized
|
||
form.
|
||
|
||
Useful if `user.id` or `user.name` contain confidential information and cannot
|
||
be used.'
|
||
- name: user.id
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier of the user.
|
||
example: S-1-5-21-202424912787-2692429404-2351956786-1000
|
||
- name: user.name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Short name or login of the user.
|
||
example: a.einstein
|
||
- name: user.roles
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Array of user roles at the time of the event.
|
||
example: '["kibana_admin", "reporting_user"]'
|
||
default_field: false
|
||
- name: cloud
|
||
title: Cloud
|
||
group: 2
|
||
description: Fields related to the cloud or infrastructure the events are coming
|
||
from.
|
||
footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data
|
||
from its host, the cloud info contains the data about this machine. If Metricbeat
|
||
runs on a remote machine outside the cloud and fetches data from a service running
|
||
in the cloud, the field contains cloud data from the machine the service is
|
||
running on.'
|
||
type: group
|
||
fields:
|
||
- name: account.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The cloud account or organization id used to identify different
|
||
entities in a multi-tenant environment.
|
||
|
||
Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
|
||
example: 666777888999
|
||
- name: account.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The cloud account name or alias used to identify different entities
|
||
in a multi-tenant environment.
|
||
|
||
Examples: AWS account name, Google Cloud ORG display name.'
|
||
example: elastic-dev
|
||
default_field: false
|
||
- name: availability_zone
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Availability zone in which this host, resource, or service is located.
|
||
example: us-east-1c
|
||
- name: instance.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Instance ID of the host machine.
|
||
example: i-1234567890abcdef0
|
||
- name: instance.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Instance name of the host machine.
|
||
- name: machine.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Machine type of the host machine.
|
||
example: t2.medium
|
||
- name: project.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The cloud project identifier.
|
||
|
||
Examples: Google Cloud Project id, Azure Project id.'
|
||
example: my-project
|
||
default_field: false
|
||
- name: project.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The cloud project name.
|
||
|
||
Examples: Google Cloud Project name, Azure Project name.'
|
||
example: my project
|
||
default_field: false
|
||
- name: provider
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the cloud provider. Example values are aws, azure, gcp,
|
||
or digitalocean.
|
||
example: aws
|
||
- name: region
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Region in which this host, resource, or service is located.
|
||
example: us-east-1
|
||
- name: service.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The cloud service name is intended to distinguish services running
|
||
on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs
|
||
App Engine, Azure VM vs App Server.
|
||
|
||
Examples: app engine, app service, cloud run, fargate, lambda.'
|
||
example: lambda
|
||
default_field: false
|
||
- name: code_signature
|
||
title: Code Signature
|
||
group: 2
|
||
description: These fields contain information about binary code signatures.
|
||
type: group
|
||
fields:
|
||
- name: digest_algorithm
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The hashing algorithm used to sign the process.
|
||
|
||
This value can distinguish signatures when a file is signed multiple times
|
||
by the same signer but with a different digest algorithm.'
|
||
example: sha256
|
||
default_field: false
|
||
- name: exists
|
||
level: core
|
||
type: boolean
|
||
description: Boolean to capture if a signature is present.
|
||
example: 'true'
|
||
default_field: false
|
||
- name: signing_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The identifier used to sign the process.
|
||
|
||
This is used to identify the application manufactured by a software vendor.
|
||
The field is relevant to Apple *OS only.'
|
||
example: com.apple.xpc.proxy
|
||
default_field: false
|
||
- name: status
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Additional information about the certificate status.
|
||
|
||
This is useful for logging cryptographic errors with the certificate validity
|
||
or trust status. Leave unpopulated if the validity or trust of the certificate
|
||
was unchecked.'
|
||
example: ERROR_UNTRUSTED_ROOT
|
||
default_field: false
|
||
- name: subject_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Subject name of the code signer
|
||
example: Microsoft Corporation
|
||
default_field: false
|
||
- name: team_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The team identifier used to sign the process.
|
||
|
||
This is used to identify the team or vendor of a software product. The field
|
||
is relevant to Apple *OS only.'
|
||
example: EQHXZ8M8AV
|
||
default_field: false
|
||
- name: timestamp
|
||
level: extended
|
||
type: date
|
||
description: Date and time when the code signature was generated and signed.
|
||
example: '2021-01-01T12:10:30Z'
|
||
default_field: false
|
||
- name: trusted
|
||
level: extended
|
||
type: boolean
|
||
description: 'Stores the trust status of the certificate chain.
|
||
|
||
Validating the trust of the certificate chain may be complicated, and this
|
||
field should only be populated by tools that actively check the status.'
|
||
example: 'true'
|
||
default_field: false
|
||
- name: valid
|
||
level: extended
|
||
type: boolean
|
||
description: 'Boolean to capture if the digital signature is verified against
|
||
the binary content.
|
||
|
||
Leave unpopulated if a certificate was unchecked.'
|
||
example: 'true'
|
||
default_field: false
|
||
- name: container
|
||
title: Container
|
||
group: 2
|
||
description: 'Container fields are used for meta information about the specific
|
||
container that is the source of information.
|
||
|
||
These fields help correlate data based containers from any runtime.'
|
||
type: group
|
||
fields:
|
||
- name: id
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique container id.
|
||
- name: image.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the image the container was built on.
|
||
- name: image.tag
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Container image tags.
|
||
- name: labels
|
||
level: extended
|
||
type: object
|
||
object_type: keyword
|
||
description: Image labels.
|
||
- name: name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Container name.
|
||
- name: runtime
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Runtime managing this container.
|
||
example: docker
|
||
- name: data_stream
|
||
title: Data Stream
|
||
group: 2
|
||
description: 'The data_stream fields take part in defining the new data stream
|
||
naming scheme.
|
||
|
||
In the new data stream naming scheme the value of the data stream fields combine
|
||
to the name of the actual data stream in the following manner: `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`.
|
||
This means the fields can only contain characters that are valid as part of
|
||
names of data streams. More details about this can be found in this https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme[blog
|
||
post].
|
||
|
||
An Elasticsearch data stream consists of one or more backing indices, and a
|
||
data stream name forms part of the backing indices names. Due to this convention,
|
||
data streams must also follow index naming restrictions. For example, data stream
|
||
names cannot include `\`, `/`, `*`, `?`, `"`, `<`, `>`, `|`, ` ` (space character),
|
||
`,`, or `#`. Please see the Elasticsearch reference for additional https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params[restrictions].'
|
||
type: group
|
||
fields:
|
||
- name: dataset
|
||
level: extended
|
||
type: constant_keyword
|
||
description: "The field can contain anything that makes sense to signify the\
|
||
\ source of the data.\nExamples include `nginx.access`, `prometheus`, `endpoint`\
|
||
\ etc. For data streams that otherwise fit, but that do not have dataset set\
|
||
\ we use the value \"generic\" for the dataset value. `event.dataset` should\
|
||
\ have the same value as `data_stream.dataset`.\nBeyond the Elasticsearch\
|
||
\ data stream naming criteria noted above, the `dataset` value has additional\
|
||
\ restrictions:\n * Must not contain `-`\n * No longer than 100 characters"
|
||
example: nginx.access
|
||
default_field: false
|
||
- name: namespace
|
||
level: extended
|
||
type: constant_keyword
|
||
description: "A user defined namespace. Namespaces are useful to allow grouping\
|
||
\ of data.\nMany users already organize their indices this way, and the data\
|
||
\ stream naming scheme now provides this best practice as a default. Many\
|
||
\ users will populate this field with `default`. If no value is used, it falls\
|
||
\ back to `default`.\nBeyond the Elasticsearch index naming criteria noted\
|
||
\ above, `namespace` value has the additional restrictions:\n * Must not\
|
||
\ contain `-`\n * No longer than 100 characters"
|
||
example: production
|
||
default_field: false
|
||
- name: type
|
||
level: extended
|
||
type: constant_keyword
|
||
description: 'An overarching type for the data stream.
|
||
|
||
Currently allowed values are "logs" and "metrics". We expect to also add "traces"
|
||
and "synthetics" in the near future.'
|
||
example: logs
|
||
default_field: false
|
||
- name: destination
|
||
title: Destination
|
||
group: 2
|
||
description: 'Destination fields capture details about the receiver of a network
|
||
exchange/packet. These fields are populated from a network event, packet, or
|
||
other event containing details of a network transaction.
|
||
|
||
Destination fields are usually populated in conjunction with source fields.
|
||
The source and destination fields are considered the baseline and should always
|
||
be filled if an event contains source and destination details from a network
|
||
transaction. If the event also contains identification of the client and server
|
||
roles, then the client and server fields should also be populated.'
|
||
type: group
|
||
fields:
|
||
- name: address
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Some event destination addresses are defined ambiguously. The
|
||
event will sometimes list an IP, a domain or a unix socket. You should always
|
||
store the raw address in the `.address` field.
|
||
|
||
Then it should be duplicated to `.ip` or `.domain`, depending on which one
|
||
it is.'
|
||
- name: as.number
|
||
level: extended
|
||
type: long
|
||
description: Unique number allocated to the autonomous system. The autonomous
|
||
system number (ASN) uniquely identifies each network on the Internet.
|
||
example: 15169
|
||
- name: as.organization.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Organization name.
|
||
example: Google LLC
|
||
- name: bytes
|
||
level: core
|
||
type: long
|
||
format: bytes
|
||
description: Bytes sent from the destination to the source.
|
||
example: 184
|
||
- name: domain
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Destination domain.
|
||
- name: geo.city_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: City name.
|
||
example: Montreal
|
||
- name: geo.continent_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Two-letter code representing continent's name.
|
||
example: NA
|
||
default_field: false
|
||
- name: geo.continent_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the continent.
|
||
example: North America
|
||
- name: geo.country_iso_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Country ISO code.
|
||
example: CA
|
||
- name: geo.country_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Country name.
|
||
example: Canada
|
||
- name: geo.location
|
||
level: core
|
||
type: geo_point
|
||
description: Longitude and latitude.
|
||
example: '{ "lon": -73.614830, "lat": 45.505918 }'
|
||
- name: geo.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'User-defined description of a location, at the level of granularity
|
||
they care about.
|
||
|
||
Could be the name of their data centers, the floor number, if this describes
|
||
a local physical entity, city names.
|
||
|
||
Not typically used in automated geolocation.'
|
||
example: boston-dc
|
||
- name: geo.postal_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Postal code associated with the location.
|
||
|
||
Values appropriate for this field may also be known as a postcode or ZIP code
|
||
and will vary widely from country to country.'
|
||
example: 94040
|
||
default_field: false
|
||
- name: geo.region_iso_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Region ISO code.
|
||
example: CA-QC
|
||
- name: geo.region_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Region name.
|
||
example: Quebec
|
||
- name: geo.timezone
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The time zone of the location, such as IANA time zone name.
|
||
example: America/Argentina/Buenos_Aires
|
||
default_field: false
|
||
- name: ip
|
||
level: core
|
||
type: ip
|
||
description: IP address of the destination (IPv4 or IPv6).
|
||
- name: mac
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'MAC address of the destination.
|
||
|
||
The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
|
||
byte) is represented by two [uppercase] hexadecimal digits giving the value
|
||
of the octet as an unsigned integer. Successive octets are separated by a
|
||
hyphen.'
|
||
example: 00-00-5E-00-53-23
|
||
- name: nat.ip
|
||
level: extended
|
||
type: ip
|
||
description: 'Translated ip of destination based NAT sessions (e.g. internet
|
||
to private DMZ)
|
||
|
||
Typically used with load balancers, firewalls, or routers.'
|
||
- name: nat.port
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: 'Port the source session is translated to by NAT Device.
|
||
|
||
Typically used with load balancers, firewalls, or routers.'
|
||
- name: packets
|
||
level: core
|
||
type: long
|
||
description: Packets sent from the destination to the source.
|
||
example: 12
|
||
- name: port
|
||
level: core
|
||
type: long
|
||
format: string
|
||
description: Port of the destination.
|
||
- name: registered_domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The highest registered destination domain, stripped of the subdomain.
|
||
|
||
For example, the registered domain for "foo.example.com" is "example.com".
|
||
|
||
This value can be determined precisely with a list like the public suffix
|
||
list (http://publicsuffix.org). Trying to approximate this by simply taking
|
||
the last two labels will not work well for TLDs such as "co.uk".'
|
||
example: example.com
|
||
- name: subdomain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The subdomain portion of a fully qualified domain name includes
|
||
all of the names except the host name under the registered_domain. In a partially
|
||
qualified domain, or if the the qualification level of the full name cannot
|
||
be determined, subdomain contains all of the names below the registered domain.
|
||
|
||
For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
|
||
If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
|
||
the subdomain field should contain "sub2.sub1", with no trailing period.'
|
||
example: east
|
||
default_field: false
|
||
- name: top_level_domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The effective top level domain (eTLD), also known as the domain
|
||
suffix, is the last part of the domain name. For example, the top level domain
|
||
for example.com is "com".
|
||
|
||
This value can be determined precisely with a list like the public suffix
|
||
list (http://publicsuffix.org). Trying to approximate this by simply taking
|
||
the last label will not work well for effective TLDs such as "co.uk".'
|
||
example: co.uk
|
||
- name: user.domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the directory the user is a member of.
|
||
|
||
For example, an LDAP or Active Directory domain name.'
|
||
- name: user.email
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: User email address.
|
||
- name: user.full_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: User's full name, if available.
|
||
example: Albert Einstein
|
||
- name: user.group.domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the directory the group is a member of.
|
||
|
||
For example, an LDAP or Active Directory domain name.'
|
||
- name: user.group.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier for the group on the system/platform.
|
||
- name: user.group.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the group.
|
||
- name: user.hash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Unique user hash to correlate information for a user in anonymized
|
||
form.
|
||
|
||
Useful if `user.id` or `user.name` contain confidential information and cannot
|
||
be used.'
|
||
- name: user.id
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier of the user.
|
||
example: S-1-5-21-202424912787-2692429404-2351956786-1000
|
||
- name: user.name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Short name or login of the user.
|
||
example: a.einstein
|
||
- name: user.roles
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Array of user roles at the time of the event.
|
||
example: '["kibana_admin", "reporting_user"]'
|
||
default_field: false
|
||
- name: dll
|
||
title: DLL
|
||
group: 2
|
||
description: 'These fields contain information about code libraries dynamically
|
||
loaded into processes.
|
||
|
||
|
||
Many operating systems refer to "shared code libraries" with different names,
|
||
but this field set refers to all of the following:
|
||
|
||
* Dynamic-link library (`.dll`) commonly used on Windows
|
||
|
||
* Shared Object (`.so`) commonly used on Unix-like operating systems
|
||
|
||
* Dynamic library (`.dylib`) commonly used on macOS'
|
||
type: group
|
||
fields:
|
||
- name: code_signature.digest_algorithm
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The hashing algorithm used to sign the process.
|
||
|
||
This value can distinguish signatures when a file is signed multiple times
|
||
by the same signer but with a different digest algorithm.'
|
||
example: sha256
|
||
default_field: false
|
||
- name: code_signature.exists
|
||
level: core
|
||
type: boolean
|
||
description: Boolean to capture if a signature is present.
|
||
example: 'true'
|
||
default_field: false
|
||
- name: code_signature.signing_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The identifier used to sign the process.
|
||
|
||
This is used to identify the application manufactured by a software vendor.
|
||
The field is relevant to Apple *OS only.'
|
||
example: com.apple.xpc.proxy
|
||
default_field: false
|
||
- name: code_signature.status
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Additional information about the certificate status.
|
||
|
||
This is useful for logging cryptographic errors with the certificate validity
|
||
or trust status. Leave unpopulated if the validity or trust of the certificate
|
||
was unchecked.'
|
||
example: ERROR_UNTRUSTED_ROOT
|
||
default_field: false
|
||
- name: code_signature.subject_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Subject name of the code signer
|
||
example: Microsoft Corporation
|
||
default_field: false
|
||
- name: code_signature.team_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The team identifier used to sign the process.
|
||
|
||
This is used to identify the team or vendor of a software product. The field
|
||
is relevant to Apple *OS only.'
|
||
example: EQHXZ8M8AV
|
||
default_field: false
|
||
- name: code_signature.timestamp
|
||
level: extended
|
||
type: date
|
||
description: Date and time when the code signature was generated and signed.
|
||
example: '2021-01-01T12:10:30Z'
|
||
default_field: false
|
||
- name: code_signature.trusted
|
||
level: extended
|
||
type: boolean
|
||
description: 'Stores the trust status of the certificate chain.
|
||
|
||
Validating the trust of the certificate chain may be complicated, and this
|
||
field should only be populated by tools that actively check the status.'
|
||
example: 'true'
|
||
default_field: false
|
||
- name: code_signature.valid
|
||
level: extended
|
||
type: boolean
|
||
description: 'Boolean to capture if the digital signature is verified against
|
||
the binary content.
|
||
|
||
Leave unpopulated if a certificate was unchecked.'
|
||
example: 'true'
|
||
default_field: false
|
||
- name: hash.md5
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: MD5 hash.
|
||
default_field: false
|
||
- name: hash.sha1
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA1 hash.
|
||
default_field: false
|
||
- name: hash.sha256
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA256 hash.
|
||
default_field: false
|
||
- name: hash.sha512
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA512 hash.
|
||
default_field: false
|
||
- name: hash.ssdeep
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SSDEEP hash.
|
||
default_field: false
|
||
- name: name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the library.
|
||
|
||
This generally maps to the name of the file on disk.'
|
||
example: kernel32.dll
|
||
default_field: false
|
||
- name: path
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Full file path of the library.
|
||
example: C:\Windows\System32\kernel32.dll
|
||
default_field: false
|
||
- name: pe.architecture
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: CPU architecture target for the file.
|
||
example: x64
|
||
default_field: false
|
||
- name: pe.company
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal company name of the file, provided at compile-time.
|
||
example: Microsoft Corporation
|
||
default_field: false
|
||
- name: pe.description
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal description of the file, provided at compile-time.
|
||
example: Paint
|
||
default_field: false
|
||
- name: pe.file_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal version of the file, provided at compile-time.
|
||
example: 6.3.9600.17415
|
||
default_field: false
|
||
- name: pe.imphash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'A hash of the imports in a PE file. An imphash -- or import hash
|
||
-- can be used to fingerprint binaries even after recompilation or other code-level
|
||
transformations have occurred, which would change more traditional hash values.
|
||
|
||
Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
|
||
example: 0c6803c4e922103c4dca5963aad36ddf
|
||
default_field: false
|
||
- name: pe.original_file_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal name of the file, provided at compile-time.
|
||
example: MSPAINT.EXE
|
||
default_field: false
|
||
- name: pe.product
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal product name of the file, provided at compile-time.
|
||
example: "Microsoft\xAE Windows\xAE Operating System"
|
||
default_field: false
|
||
- name: dns
|
||
title: DNS
|
||
group: 2
|
||
description: 'Fields describing DNS queries and answers.
|
||
|
||
DNS events should either represent a single DNS query prior to getting answers
|
||
(`dns.type:query`) or they should represent a full exchange and contain the
|
||
query details as well as all of the answers that were provided for this query
|
||
(`dns.type:answer`).'
|
||
type: group
|
||
fields:
|
||
- name: answers
|
||
level: extended
|
||
type: object
|
||
description: 'An array containing an object for each answer section returned
|
||
by the server.
|
||
|
||
The main keys that should be present in these objects are defined by ECS.
|
||
Records that have more information may contain more keys than what ECS defines.
|
||
|
||
Not all DNS data sources give all details about DNS answers. At minimum, answer
|
||
objects must contain the `data` key. If more information is available, map
|
||
as much of it to ECS as possible, and add any additional fields to the answer
|
||
objects as custom fields.'
|
||
- name: answers.class
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The class of DNS data contained in this resource record.
|
||
example: IN
|
||
- name: answers.data
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The data describing the resource.
|
||
|
||
The meaning of this data depends on the type and class of the resource record.'
|
||
example: 10.10.10.10
|
||
- name: answers.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The domain name to which this resource record pertains.
|
||
|
||
If a chain of CNAME is being resolved, each answer''s `name` should be the
|
||
one that corresponds with the answer''s `data`. It should not simply be the
|
||
original `question.name` repeated.'
|
||
example: www.example.com
|
||
- name: answers.ttl
|
||
level: extended
|
||
type: long
|
||
description: The time interval in seconds that this resource record may be cached
|
||
before it should be discarded. Zero values mean that the data should not be
|
||
cached.
|
||
example: 180
|
||
- name: answers.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The type of data contained in this resource record.
|
||
example: CNAME
|
||
- name: header_flags
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Array of 2 letter DNS header flags.
|
||
|
||
Expected values are: AA, TC, RD, RA, AD, CD, DO.'
|
||
example: '["RD", "RA"]'
|
||
- name: id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The DNS packet identifier assigned by the program that generated
|
||
the query. The identifier is copied to the response.
|
||
example: 62111
|
||
- name: op_code
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The DNS operation code that specifies the kind of query in the
|
||
message. This value is set by the originator of a query and copied into the
|
||
response.
|
||
example: QUERY
|
||
- name: question.class
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The class of records being queried.
|
||
example: IN
|
||
- name: question.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The name being queried.
|
||
|
||
If the name field contains non-printable characters (below 32 or above 126),
|
||
those characters should be represented as escaped base 10 integers (\DDD).
|
||
Back slashes and quotes should be escaped. Tabs, carriage returns, and line
|
||
feeds should be converted to \t, \r, and \n respectively.'
|
||
example: www.example.com
|
||
- name: question.registered_domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The highest registered domain, stripped of the subdomain.
|
||
|
||
For example, the registered domain for "foo.example.com" is "example.com".
|
||
|
||
This value can be determined precisely with a list like the public suffix
|
||
list (http://publicsuffix.org). Trying to approximate this by simply taking
|
||
the last two labels will not work well for TLDs such as "co.uk".'
|
||
example: example.com
|
||
- name: question.subdomain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The subdomain is all of the labels under the registered_domain.
|
||
|
||
If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
|
||
the subdomain field should contain "sub2.sub1", with no trailing period.'
|
||
example: www
|
||
- name: question.top_level_domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The effective top level domain (eTLD), also known as the domain
|
||
suffix, is the last part of the domain name. For example, the top level domain
|
||
for example.com is "com".
|
||
|
||
This value can be determined precisely with a list like the public suffix
|
||
list (http://publicsuffix.org). Trying to approximate this by simply taking
|
||
the last label will not work well for effective TLDs such as "co.uk".'
|
||
example: co.uk
|
||
- name: question.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The type of record being queried.
|
||
example: AAAA
|
||
- name: resolved_ip
|
||
level: extended
|
||
type: ip
|
||
description: 'Array containing all IPs seen in `answers.data`.
|
||
|
||
The `answers` array can be difficult to use, because of the variety of data
|
||
formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip`
|
||
makes it possible to index them as IP addresses, and makes them easier to
|
||
visualize and query for.'
|
||
example: '["10.10.10.10", "10.10.10.11"]'
|
||
- name: response_code
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The DNS response code.
|
||
example: NOERROR
|
||
- name: type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The type of DNS event captured, query or answer.
|
||
|
||
If your source of DNS events only gives you DNS queries, you should only create
|
||
dns events of type `dns.type:query`.
|
||
|
||
If your source of DNS events gives you answers as well, you should create
|
||
one event per query (optionally as soon as the query is seen). And a second
|
||
event containing all query details as well as an array of answers.'
|
||
example: answer
|
||
- name: ecs
|
||
title: ECS
|
||
group: 2
|
||
description: Meta-information specific to ECS.
|
||
type: group
|
||
fields:
|
||
- name: version
|
||
level: core
|
||
required: true
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'ECS version this event conforms to. `ecs.version` is a required
|
||
field and must exist in all events.
|
||
|
||
When querying across multiple indices -- which may conform to slightly different
|
||
ECS versions -- this field lets integrations adjust to the schema version
|
||
of the events.'
|
||
example: 1.0.0
|
||
- name: elf
|
||
title: ELF Header
|
||
group: 2
|
||
description: These fields contain Linux Executable Linkable Format (ELF) metadata.
|
||
type: group
|
||
fields:
|
||
- name: architecture
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Machine architecture of the ELF file.
|
||
example: x86-64
|
||
default_field: false
|
||
- name: byte_order
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Byte sequence of ELF file.
|
||
example: Little Endian
|
||
default_field: false
|
||
- name: cpu_type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: CPU type of the ELF file.
|
||
example: Intel
|
||
default_field: false
|
||
- name: creation_date
|
||
level: extended
|
||
type: date
|
||
description: Extracted when possible from the file's metadata. Indicates when
|
||
it was built or compiled. It can also be faked by malware creators.
|
||
default_field: false
|
||
- name: exports
|
||
level: extended
|
||
type: flattened
|
||
description: List of exported element names and types.
|
||
default_field: false
|
||
- name: header.abi_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of the ELF Application Binary Interface (ABI).
|
||
default_field: false
|
||
- name: header.class
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Header class of the ELF file.
|
||
default_field: false
|
||
- name: header.data
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Data table of the ELF header.
|
||
default_field: false
|
||
- name: header.entrypoint
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: Header entrypoint of the ELF file.
|
||
default_field: false
|
||
- name: header.object_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: '"0x1" for original ELF files.'
|
||
default_field: false
|
||
- name: header.os_abi
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Application Binary Interface (ABI) of the Linux OS.
|
||
default_field: false
|
||
- name: header.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Header type of the ELF file.
|
||
default_field: false
|
||
- name: header.version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of the ELF header.
|
||
default_field: false
|
||
- name: imports
|
||
level: extended
|
||
type: flattened
|
||
description: List of imported element names and types.
|
||
default_field: false
|
||
- name: sections
|
||
level: extended
|
||
type: nested
|
||
description: 'An array containing an object for each section of the ELF file.
|
||
|
||
The keys that should be present in these objects are defined by sub-fields
|
||
underneath `elf.sections.*`.'
|
||
default_field: false
|
||
- name: sections.chi2
|
||
level: extended
|
||
type: long
|
||
format: number
|
||
description: Chi-square probability distribution of the section.
|
||
default_field: false
|
||
- name: sections.entropy
|
||
level: extended
|
||
type: long
|
||
format: number
|
||
description: Shannon entropy calculation from the section.
|
||
default_field: false
|
||
- name: sections.flags
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List flags.
|
||
default_field: false
|
||
- name: sections.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List name.
|
||
default_field: false
|
||
- name: sections.physical_offset
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List offset.
|
||
default_field: false
|
||
- name: sections.physical_size
|
||
level: extended
|
||
type: long
|
||
format: bytes
|
||
description: ELF Section List physical size.
|
||
default_field: false
|
||
- name: sections.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List type.
|
||
default_field: false
|
||
- name: sections.virtual_address
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: ELF Section List virtual address.
|
||
default_field: false
|
||
- name: sections.virtual_size
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: ELF Section List virtual size.
|
||
default_field: false
|
||
- name: segments
|
||
level: extended
|
||
type: nested
|
||
description: 'An array containing an object for each segment of the ELF file.
|
||
|
||
The keys that should be present in these objects are defined by sub-fields
|
||
underneath `elf.segments.*`.'
|
||
default_field: false
|
||
- name: segments.sections
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF object segment sections.
|
||
default_field: false
|
||
- name: segments.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF object segment type.
|
||
default_field: false
|
||
- name: shared_libraries
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of shared libraries used by this ELF object.
|
||
default_field: false
|
||
- name: telfhash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: telfhash symbol hash for ELF file.
|
||
default_field: false
|
||
- name: error
|
||
title: Error
|
||
group: 2
|
||
description: 'These fields can represent errors of any kind.
|
||
|
||
Use them for errors that happen while fetching events or in cases where the
|
||
event itself contains an error.'
|
||
type: group
|
||
fields:
|
||
- name: code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Error code describing the error.
|
||
- name: id
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier for the error.
|
||
- name: message
|
||
level: core
|
||
type: match_only_text
|
||
description: Error message.
|
||
- name: stack_trace
|
||
level: extended
|
||
type: wildcard
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: The stack trace of this error in plain text.
|
||
- name: type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The type of the error, for example the class name of the exception.
|
||
example: java.lang.NullPointerException
|
||
- name: event
|
||
title: Event
|
||
group: 2
|
||
description: 'The event fields are used for context information about the log
|
||
or metric event itself.
|
||
|
||
A log is defined as an event containing details of something that happened.
|
||
Log events must include the time at which the thing happened. Examples of log
|
||
events include a process starting on a host, a network packet being sent from
|
||
a source to a destination, or a network connection between a client and a server
|
||
being initiated or closed. A metric is defined as an event containing one or
|
||
more numerical measurements and the time at which the measurement was taken.
|
||
Examples of metric events include memory pressure measured on a host and device
|
||
temperature. See the `event.kind` definition in this section for additional
|
||
details about metric and state events.'
|
||
type: group
|
||
fields:
|
||
- name: action
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The action captured by the event.
|
||
|
||
This describes the information in the event. It is more specific than `event.category`.
|
||
Examples are `group-add`, `process-started`, `file-created`. The value is
|
||
normally defined by the implementer.'
|
||
example: user-password-change
|
||
- name: agent_id_status
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Agents are normally responsible for populating the `agent.id`
|
||
field value. If the system receiving events is capable of validating the value
|
||
based on authentication information for the client then this field can be
|
||
used to reflect the outcome of that validation.
|
||
|
||
For example if the agent''s connection is authenticated with mTLS and the
|
||
client cert contains the ID of the agent to which the cert was issued then
|
||
the `agent.id` value in events can be checked against the certificate. If
|
||
the values match then `event.agent_id_status: verified` is added to the event,
|
||
otherwise one of the other allowed values should be used.
|
||
|
||
If no validation is performed then the field should be omitted.
|
||
|
||
The allowed values are:
|
||
|
||
`verified` - The `agent.id` field value matches expected value obtained from
|
||
auth metadata.
|
||
|
||
`mismatch` - The `agent.id` field value does not match the expected value
|
||
obtained from auth metadata.
|
||
|
||
`missing` - There was no `agent.id` field in the event to validate.
|
||
|
||
`auth_metadata_missing` - There was no auth metadata or it was missing information
|
||
about the agent ID.'
|
||
example: verified
|
||
default_field: false
|
||
- name: category
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'This is one of four ECS Categorization Fields, and indicates the
|
||
second level in the ECS category hierarchy.
|
||
|
||
`event.category` represents the "big buckets" of ECS categories. For example,
|
||
filtering on `event.category:process` yields all events relating to process
|
||
activity. This field is closely related to `event.type`, which is used as
|
||
a subcategory.
|
||
|
||
This field is an array. This will allow proper categorization of some events
|
||
that fall in multiple categories.'
|
||
example: authentication
|
||
- name: code
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Identification code for this event, if one exists.
|
||
|
||
Some event sources use event codes to identify messages unambiguously, regardless
|
||
of message language or wording adjustments over time. An example of this is
|
||
the Windows Event ID.'
|
||
example: 4648
|
||
- name: created
|
||
level: core
|
||
type: date
|
||
description: 'event.created contains the date/time when the event was first
|
||
read by an agent, or by your pipeline.
|
||
|
||
This field is distinct from @timestamp in that @timestamp typically contain
|
||
the time extracted from the original event.
|
||
|
||
In most situations, these two timestamps will be slightly different. The difference
|
||
can be used to calculate the delay between your source generating an event,
|
||
and the time when your agent first processed it. This can be used to monitor
|
||
your agent''s or pipeline''s ability to keep up with your event source.
|
||
|
||
In case the two timestamps are identical, @timestamp should be used.'
|
||
example: '2016-05-23T08:05:34.857Z'
|
||
- name: dataset
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the dataset.
|
||
|
||
If an event source publishes more than one type of log or events (e.g. access
|
||
log, error log), the dataset is used to specify which one the event comes
|
||
from.
|
||
|
||
It''s recommended but not required to start the dataset name with the module
|
||
name, followed by a dot, then the dataset name.'
|
||
example: apache.access
|
||
- name: duration
|
||
level: core
|
||
type: long
|
||
format: duration
|
||
input_format: nanoseconds
|
||
output_format: asMilliseconds
|
||
output_precision: 1
|
||
description: 'Duration of the event in nanoseconds.
|
||
|
||
If event.start and event.end are known this value should be the difference
|
||
between the end and start time.'
|
||
- name: end
|
||
level: extended
|
||
type: date
|
||
description: event.end contains the date when the event ended or when the activity
|
||
was last observed.
|
||
- name: hash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Hash (perhaps logstash fingerprint) of raw field to be able to
|
||
demonstrate log integrity.
|
||
example: 123456789012345678901234567890ABCD
|
||
- name: id
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique ID to describe the event.
|
||
example: 8a4f500d
|
||
- name: ingested
|
||
level: core
|
||
type: date
|
||
description: 'Timestamp when an event arrived in the central data store.
|
||
|
||
This is different from `@timestamp`, which is when the event originally occurred. It''s
|
||
also different from `event.created`, which is meant to capture the first time
|
||
an agent saw the event.
|
||
|
||
In normal conditions, assuming no tampering, the timestamps should chronologically
|
||
look like this: `@timestamp` < `event.created` < `event.ingested`.'
|
||
example: '2016-05-23T08:05:35.101Z'
|
||
default_field: false
|
||
- name: kind
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'This is one of four ECS Categorization Fields, and indicates the
|
||
highest level in the ECS category hierarchy.
|
||
|
||
`event.kind` gives high-level information about what type of information the
|
||
event contains, without being specific to the contents of the event. For example,
|
||
values of this field distinguish alert events from metric events.
|
||
|
||
The value of this field can be used to inform how these kinds of events should
|
||
be handled. They may warrant different retention, different access control,
|
||
it may also help understand whether the data coming in at a regular interval
|
||
or not.'
|
||
example: alert
|
||
- name: module
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the module this data is coming from.
|
||
|
||
If your monitoring agent supports the concept of modules or plugins to process
|
||
events of a given source (e.g. Apache logs), `event.module` should contain
|
||
the name of this module.'
|
||
example: apache
|
||
- name: original
|
||
level: core
|
||
type: keyword
|
||
description: 'Raw text message of entire event. Used to demonstrate log integrity
|
||
or where the full log message (before splitting it up in multiple parts) may
|
||
be required, e.g. for reindex.
|
||
|
||
This field is not indexed and doc_values are disabled. It cannot be searched,
|
||
but it can be retrieved from `_source`. If users wish to override this and
|
||
index this field, please see `Field data types` in the `Elasticsearch Reference`.'
|
||
example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100|
|
||
worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232
|
||
index: false
|
||
doc_values: false
|
||
- name: outcome
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'This is one of four ECS Categorization Fields, and indicates the
|
||
lowest level in the ECS category hierarchy.
|
||
|
||
`event.outcome` simply denotes whether the event represents a success or a
|
||
failure from the perspective of the entity that produced the event.
|
||
|
||
Note that when a single transaction is described in multiple events, each
|
||
event may populate different values of `event.outcome`, according to their
|
||
perspective.
|
||
|
||
Also note that in the case of a compound event (a single event that contains
|
||
multiple logical events), this field should be populated with the value that
|
||
best captures the overall success or failure from the perspective of the event
|
||
producer.
|
||
|
||
Further note that not all events will have an associated outcome. For example,
|
||
this field is generally not populated for metric events, events with `event.type:info`,
|
||
or any events for which an outcome does not make logical sense.'
|
||
example: success
|
||
- name: provider
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Source of the event.
|
||
|
||
Event transports such as Syslog or the Windows Event Log typically mention
|
||
the source of an event. It can be the name of the software that generated
|
||
the event (e.g. Sysmon, httpd), or of a subsystem of the operating system
|
||
(kernel, Microsoft-Windows-Security-Auditing).'
|
||
example: kernel
|
||
- name: reason
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Reason why this event happened, according to the source.
|
||
|
||
This describes the why of a particular action or outcome captured in the event.
|
||
Where `event.action` captures the action from the event, `event.reason` describes
|
||
why that action was taken. For example, a web proxy with an `event.action`
|
||
which denied the request may also populate `event.reason` with the reason
|
||
why (e.g. `blocked site`).'
|
||
example: Terminated an unexpected process
|
||
default_field: false
|
||
- name: reference
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Reference URL linking to additional information about this event.
|
||
|
||
This URL links to a static definition of this event. Alert events, indicated
|
||
by `event.kind:alert`, are a common use case for this field.'
|
||
example: https://system.example.com/event/#0001234
|
||
default_field: false
|
||
- name: risk_score
|
||
level: core
|
||
type: float
|
||
description: Risk score or priority of the event (e.g. security solutions).
|
||
Use your system's original value here.
|
||
- name: risk_score_norm
|
||
level: extended
|
||
type: float
|
||
description: 'Normalized risk score or priority of the event, on a scale of
|
||
0 to 100.
|
||
|
||
This is mainly useful if you use more than one system that assigns risk scores,
|
||
and you want to see a normalized value across all systems.'
|
||
- name: sequence
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: 'Sequence number of the event.
|
||
|
||
The sequence number is a value published by some event sources, to make the
|
||
exact ordering of events unambiguous, regardless of the timestamp precision.'
|
||
- name: severity
|
||
level: core
|
||
type: long
|
||
format: string
|
||
description: 'The numeric severity of the event according to your event source.
|
||
|
||
What the different severity values mean can be different between sources and
|
||
use cases. It''s up to the implementer to make sure severities are consistent
|
||
across events from the same source.
|
||
|
||
The Syslog severity belongs in `log.syslog.severity.code`. `event.severity`
|
||
is meant to represent the severity according to the event source (e.g. firewall,
|
||
IDS). If the event source does not publish its own severity, you may optionally
|
||
copy the `log.syslog.severity.code` to `event.severity`.'
|
||
example: 7
|
||
- name: start
|
||
level: extended
|
||
type: date
|
||
description: event.start contains the date when the event started or when the
|
||
activity was first observed.
|
||
- name: timezone
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'This field should be populated when the event''s timestamp does
|
||
not include timezone information already (e.g. default Syslog timestamps).
|
||
It''s optional otherwise.
|
||
|
||
Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"),
|
||
abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
|
||
- name: type
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'This is one of four ECS Categorization Fields, and indicates the
|
||
third level in the ECS category hierarchy.
|
||
|
||
`event.type` represents a categorization "sub-bucket" that, when used along
|
||
with the `event.category` field values, enables filtering events down to a
|
||
level appropriate for single visualization.
|
||
|
||
This field is an array. This will allow proper categorization of some events
|
||
that fall in multiple event types.'
|
||
- name: url
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'URL linking to an external system to continue investigation of
|
||
this event.
|
||
|
||
This URL links to another system where in-depth investigation of the specific
|
||
occurrence of this event can take place. Alert events, indicated by `event.kind:alert`,
|
||
are a common use case for this field.'
|
||
example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe
|
||
default_field: false
|
||
- name: file
|
||
title: File
|
||
group: 2
|
||
description: 'A file is defined as a set of information that has been created
|
||
on, or has existed on a filesystem.
|
||
|
||
File objects can be associated with host events, network events, and/or file
|
||
events (e.g., those produced by File Integrity Monitoring [FIM] products or
|
||
services). File fields provide details about the affected file associated with
|
||
the event or metric.'
|
||
type: group
|
||
fields:
|
||
- name: accessed
|
||
level: extended
|
||
type: date
|
||
description: 'Last time the file was accessed.
|
||
|
||
Note that not all filesystems keep track of access time.'
|
||
- name: attributes
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Array of file attributes.
|
||
|
||
Attributes names will vary by platform. Here''s a non-exhaustive list of values
|
||
that are expected in this field: archive, compressed, directory, encrypted,
|
||
execute, hidden, read, readonly, system, write.'
|
||
example: '["readonly", "system"]'
|
||
default_field: false
|
||
- name: code_signature.digest_algorithm
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The hashing algorithm used to sign the process.
|
||
|
||
This value can distinguish signatures when a file is signed multiple times
|
||
by the same signer but with a different digest algorithm.'
|
||
example: sha256
|
||
default_field: false
|
||
- name: code_signature.exists
|
||
level: core
|
||
type: boolean
|
||
description: Boolean to capture if a signature is present.
|
||
example: 'true'
|
||
default_field: false
|
||
- name: code_signature.signing_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The identifier used to sign the process.
|
||
|
||
This is used to identify the application manufactured by a software vendor.
|
||
The field is relevant to Apple *OS only.'
|
||
example: com.apple.xpc.proxy
|
||
default_field: false
|
||
- name: code_signature.status
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Additional information about the certificate status.
|
||
|
||
This is useful for logging cryptographic errors with the certificate validity
|
||
or trust status. Leave unpopulated if the validity or trust of the certificate
|
||
was unchecked.'
|
||
example: ERROR_UNTRUSTED_ROOT
|
||
default_field: false
|
||
- name: code_signature.subject_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Subject name of the code signer
|
||
example: Microsoft Corporation
|
||
default_field: false
|
||
- name: code_signature.team_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The team identifier used to sign the process.
|
||
|
||
This is used to identify the team or vendor of a software product. The field
|
||
is relevant to Apple *OS only.'
|
||
example: EQHXZ8M8AV
|
||
default_field: false
|
||
- name: code_signature.timestamp
|
||
level: extended
|
||
type: date
|
||
description: Date and time when the code signature was generated and signed.
|
||
example: '2021-01-01T12:10:30Z'
|
||
default_field: false
|
||
- name: code_signature.trusted
|
||
level: extended
|
||
type: boolean
|
||
description: 'Stores the trust status of the certificate chain.
|
||
|
||
Validating the trust of the certificate chain may be complicated, and this
|
||
field should only be populated by tools that actively check the status.'
|
||
example: 'true'
|
||
default_field: false
|
||
- name: code_signature.valid
|
||
level: extended
|
||
type: boolean
|
||
description: 'Boolean to capture if the digital signature is verified against
|
||
the binary content.
|
||
|
||
Leave unpopulated if a certificate was unchecked.'
|
||
example: 'true'
|
||
default_field: false
|
||
- name: created
|
||
level: extended
|
||
type: date
|
||
description: 'File creation time.
|
||
|
||
Note that not all filesystems store the creation time.'
|
||
- name: ctime
|
||
level: extended
|
||
type: date
|
||
description: 'Last time the file attributes or metadata changed.
|
||
|
||
Note that changes to the file content will update `mtime`. This implies `ctime`
|
||
will be adjusted at the same time, since `mtime` is an attribute of the file.'
|
||
- name: device
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Device that is the source of the file.
|
||
example: sda
|
||
- name: directory
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Directory where the file is located. It should include the drive
|
||
letter, when appropriate.
|
||
example: /home/alice
|
||
- name: drive_letter
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1
|
||
description: 'Drive letter where the file is located. This field is only relevant
|
||
on Windows.
|
||
|
||
The value should be uppercase, and not include the colon.'
|
||
example: C
|
||
default_field: false
|
||
- name: elf.architecture
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Machine architecture of the ELF file.
|
||
example: x86-64
|
||
default_field: false
|
||
- name: elf.byte_order
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Byte sequence of ELF file.
|
||
example: Little Endian
|
||
default_field: false
|
||
- name: elf.cpu_type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: CPU type of the ELF file.
|
||
example: Intel
|
||
default_field: false
|
||
- name: elf.creation_date
|
||
level: extended
|
||
type: date
|
||
description: Extracted when possible from the file's metadata. Indicates when
|
||
it was built or compiled. It can also be faked by malware creators.
|
||
default_field: false
|
||
- name: elf.exports
|
||
level: extended
|
||
type: flattened
|
||
description: List of exported element names and types.
|
||
default_field: false
|
||
- name: elf.header.abi_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of the ELF Application Binary Interface (ABI).
|
||
default_field: false
|
||
- name: elf.header.class
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Header class of the ELF file.
|
||
default_field: false
|
||
- name: elf.header.data
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Data table of the ELF header.
|
||
default_field: false
|
||
- name: elf.header.entrypoint
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: Header entrypoint of the ELF file.
|
||
default_field: false
|
||
- name: elf.header.object_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: '"0x1" for original ELF files.'
|
||
default_field: false
|
||
- name: elf.header.os_abi
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Application Binary Interface (ABI) of the Linux OS.
|
||
default_field: false
|
||
- name: elf.header.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Header type of the ELF file.
|
||
default_field: false
|
||
- name: elf.header.version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of the ELF header.
|
||
default_field: false
|
||
- name: elf.imports
|
||
level: extended
|
||
type: flattened
|
||
description: List of imported element names and types.
|
||
default_field: false
|
||
- name: elf.sections
|
||
level: extended
|
||
type: nested
|
||
description: 'An array containing an object for each section of the ELF file.
|
||
|
||
The keys that should be present in these objects are defined by sub-fields
|
||
underneath `elf.sections.*`.'
|
||
default_field: false
|
||
- name: elf.sections.chi2
|
||
level: extended
|
||
type: long
|
||
format: number
|
||
description: Chi-square probability distribution of the section.
|
||
default_field: false
|
||
- name: elf.sections.entropy
|
||
level: extended
|
||
type: long
|
||
format: number
|
||
description: Shannon entropy calculation from the section.
|
||
default_field: false
|
||
- name: elf.sections.flags
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List flags.
|
||
default_field: false
|
||
- name: elf.sections.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List name.
|
||
default_field: false
|
||
- name: elf.sections.physical_offset
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List offset.
|
||
default_field: false
|
||
- name: elf.sections.physical_size
|
||
level: extended
|
||
type: long
|
||
format: bytes
|
||
description: ELF Section List physical size.
|
||
default_field: false
|
||
- name: elf.sections.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List type.
|
||
default_field: false
|
||
- name: elf.sections.virtual_address
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: ELF Section List virtual address.
|
||
default_field: false
|
||
- name: elf.sections.virtual_size
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: ELF Section List virtual size.
|
||
default_field: false
|
||
- name: elf.segments
|
||
level: extended
|
||
type: nested
|
||
description: 'An array containing an object for each segment of the ELF file.
|
||
|
||
The keys that should be present in these objects are defined by sub-fields
|
||
underneath `elf.segments.*`.'
|
||
default_field: false
|
||
- name: elf.segments.sections
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF object segment sections.
|
||
default_field: false
|
||
- name: elf.segments.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF object segment type.
|
||
default_field: false
|
||
- name: elf.shared_libraries
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of shared libraries used by this ELF object.
|
||
default_field: false
|
||
- name: elf.telfhash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: telfhash symbol hash for ELF file.
|
||
default_field: false
|
||
- name: extension
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'File extension, excluding the leading dot.
|
||
|
||
Note that when the file name has multiple extensions (example.tar.gz), only
|
||
the last one should be captured ("gz", not "tar.gz").'
|
||
example: png
|
||
- name: fork_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'A fork is additional data associated with a filesystem object.
|
||
|
||
On Linux, a resource fork is used to store additional data with a filesystem
|
||
object. A file always has at least one fork for the data portion, and additional
|
||
forks may exist.
|
||
|
||
On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
|
||
data stream for a file is just called $DATA. Zone.Identifier is commonly used
|
||
by Windows to track contents downloaded from the Internet. An ADS is typically
|
||
of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
|
||
is the value that should populate `fork_name`. `filename.extension` should
|
||
populate `file.name`, and `extension` should populate `file.extension`. The
|
||
full path, `file.path`, will include the fork name.'
|
||
example: Zone.Identifer
|
||
default_field: false
|
||
- name: gid
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Primary group ID (GID) of the file.
|
||
example: '1001'
|
||
- name: group
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Primary group name of the file.
|
||
example: alice
|
||
- name: hash.md5
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: MD5 hash.
|
||
- name: hash.sha1
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA1 hash.
|
||
- name: hash.sha256
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA256 hash.
|
||
- name: hash.sha512
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA512 hash.
|
||
- name: hash.ssdeep
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SSDEEP hash.
|
||
default_field: false
|
||
- name: inode
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Inode representing the file in the filesystem.
|
||
example: '256383'
|
||
- name: mime_type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: MIME type should identify the format of the file or stream of bytes
|
||
using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
|
||
official types], where possible. When more than one type is applicable, the
|
||
most specific type should be used.
|
||
default_field: false
|
||
- name: mode
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Mode of the file in octal representation.
|
||
example: '0640'
|
||
- name: mtime
|
||
level: extended
|
||
type: date
|
||
description: Last time the file content was modified.
|
||
- name: name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the file including the extension, without the directory.
|
||
example: example.png
|
||
- name: owner
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: File owner's username.
|
||
example: alice
|
||
- name: path
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Full path to the file, including the file name. It should include
|
||
the drive letter, when appropriate.
|
||
example: /home/alice/example.png
|
||
- name: pe.architecture
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: CPU architecture target for the file.
|
||
example: x64
|
||
default_field: false
|
||
- name: pe.company
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal company name of the file, provided at compile-time.
|
||
example: Microsoft Corporation
|
||
default_field: false
|
||
- name: pe.description
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal description of the file, provided at compile-time.
|
||
example: Paint
|
||
default_field: false
|
||
- name: pe.file_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal version of the file, provided at compile-time.
|
||
example: 6.3.9600.17415
|
||
default_field: false
|
||
- name: pe.imphash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'A hash of the imports in a PE file. An imphash -- or import hash
|
||
-- can be used to fingerprint binaries even after recompilation or other code-level
|
||
transformations have occurred, which would change more traditional hash values.
|
||
|
||
Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
|
||
example: 0c6803c4e922103c4dca5963aad36ddf
|
||
default_field: false
|
||
- name: pe.original_file_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal name of the file, provided at compile-time.
|
||
example: MSPAINT.EXE
|
||
default_field: false
|
||
- name: pe.product
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal product name of the file, provided at compile-time.
|
||
example: "Microsoft\xAE Windows\xAE Operating System"
|
||
default_field: false
|
||
- name: size
|
||
level: extended
|
||
type: long
|
||
description: 'File size in bytes.
|
||
|
||
Only relevant when `file.type` is "file".'
|
||
example: 16384
|
||
- name: target_path
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Target path for symlinks.
|
||
- name: type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: File type (file, dir, or symlink).
|
||
example: file
|
||
- name: uid
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The user ID (UID) or security identifier (SID) of the file owner.
|
||
example: '1001'
|
||
- name: x509.alternative_names
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of subject alternative names (SAN). Name types vary by certificate
|
||
authority and certificate type but commonly contain IP addresses, DNS names
|
||
(and wildcards), and email addresses.
|
||
example: '*.elastic.co'
|
||
default_field: false
|
||
- name: x509.issuer.common_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of common name (CN) of issuing certificate authority.
|
||
example: Example SHA2 High Assurance Server CA
|
||
default_field: false
|
||
- name: x509.issuer.country
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of country (C) codes
|
||
example: US
|
||
default_field: false
|
||
- name: x509.issuer.distinguished_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Distinguished name (DN) of issuing certificate authority.
|
||
example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
|
||
Server CA
|
||
default_field: false
|
||
- name: x509.issuer.locality
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of locality names (L)
|
||
example: Mountain View
|
||
default_field: false
|
||
- name: x509.issuer.organization
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizations (O) of issuing certificate authority.
|
||
example: Example Inc
|
||
default_field: false
|
||
- name: x509.issuer.organizational_unit
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizational units (OU) of issuing certificate authority.
|
||
example: www.example.com
|
||
default_field: false
|
||
- name: x509.issuer.state_or_province
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of state or province names (ST, S, or P)
|
||
example: California
|
||
default_field: false
|
||
- name: x509.not_after
|
||
level: extended
|
||
type: date
|
||
description: Time at which the certificate is no longer considered valid.
|
||
example: 2020-07-16 03:15:39+00:00
|
||
default_field: false
|
||
- name: x509.not_before
|
||
level: extended
|
||
type: date
|
||
description: Time at which the certificate is first considered valid.
|
||
example: 2019-08-16 01:40:25+00:00
|
||
default_field: false
|
||
- name: x509.public_key_algorithm
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Algorithm used to generate the public key.
|
||
example: RSA
|
||
default_field: false
|
||
- name: x509.public_key_curve
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The curve used by the elliptic curve public key algorithm. This
|
||
is algorithm specific.
|
||
example: nistp521
|
||
default_field: false
|
||
- name: x509.public_key_exponent
|
||
level: extended
|
||
type: long
|
||
description: Exponent used to derive the public key. This is algorithm specific.
|
||
example: 65537
|
||
index: false
|
||
doc_values: false
|
||
default_field: false
|
||
- name: x509.public_key_size
|
||
level: extended
|
||
type: long
|
||
description: The size of the public key space in bits.
|
||
example: 2048
|
||
default_field: false
|
||
- name: x509.serial_number
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique serial number issued by the certificate authority. For consistency,
|
||
if this value is alphanumeric, it should be formatted without colons and uppercase
|
||
characters.
|
||
example: 55FBB9C7DEBF09809D12CCAA
|
||
default_field: false
|
||
- name: x509.signature_algorithm
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Identifier for certificate signature algorithm. We recommend using
|
||
names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
|
||
example: SHA256-RSA
|
||
default_field: false
|
||
- name: x509.subject.common_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of common names (CN) of subject.
|
||
example: shared.global.example.net
|
||
default_field: false
|
||
- name: x509.subject.country
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of country (C) code
|
||
example: US
|
||
default_field: false
|
||
- name: x509.subject.distinguished_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Distinguished name (DN) of the certificate subject entity.
|
||
example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
|
||
default_field: false
|
||
- name: x509.subject.locality
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of locality names (L)
|
||
example: San Francisco
|
||
default_field: false
|
||
- name: x509.subject.organization
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizations (O) of subject.
|
||
example: Example, Inc.
|
||
default_field: false
|
||
- name: x509.subject.organizational_unit
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizational units (OU) of subject.
|
||
default_field: false
|
||
- name: x509.subject.state_or_province
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of state or province names (ST, S, or P)
|
||
example: California
|
||
default_field: false
|
||
- name: x509.version_number
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of x509 format.
|
||
example: 3
|
||
default_field: false
|
||
- name: geo
|
||
title: Geo
|
||
group: 2
|
||
description: 'Geo fields can carry data about a specific location related to an
|
||
event.
|
||
|
||
This geolocation information can be derived from techniques such as Geo IP,
|
||
or be user-supplied.'
|
||
type: group
|
||
fields:
|
||
- name: city_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: City name.
|
||
example: Montreal
|
||
- name: continent_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Two-letter code representing continent's name.
|
||
example: NA
|
||
default_field: false
|
||
- name: continent_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the continent.
|
||
example: North America
|
||
- name: country_iso_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Country ISO code.
|
||
example: CA
|
||
- name: country_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Country name.
|
||
example: Canada
|
||
- name: location
|
||
level: core
|
||
type: geo_point
|
||
description: Longitude and latitude.
|
||
example: '{ "lon": -73.614830, "lat": 45.505918 }'
|
||
- name: name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'User-defined description of a location, at the level of granularity
|
||
they care about.
|
||
|
||
Could be the name of their data centers, the floor number, if this describes
|
||
a local physical entity, city names.
|
||
|
||
Not typically used in automated geolocation.'
|
||
example: boston-dc
|
||
- name: postal_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Postal code associated with the location.
|
||
|
||
Values appropriate for this field may also be known as a postcode or ZIP code
|
||
and will vary widely from country to country.'
|
||
example: 94040
|
||
default_field: false
|
||
- name: region_iso_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Region ISO code.
|
||
example: CA-QC
|
||
- name: region_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Region name.
|
||
example: Quebec
|
||
- name: timezone
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The time zone of the location, such as IANA time zone name.
|
||
example: America/Argentina/Buenos_Aires
|
||
default_field: false
|
||
- name: group
|
||
title: Group
|
||
group: 2
|
||
description: The group fields are meant to represent groups that are relevant
|
||
to the event.
|
||
type: group
|
||
fields:
|
||
- name: domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the directory the group is a member of.
|
||
|
||
For example, an LDAP or Active Directory domain name.'
|
||
- name: id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier for the group on the system/platform.
|
||
- name: name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the group.
|
||
- name: hash
|
||
title: Hash
|
||
group: 2
|
||
description: 'The hash fields represent different bitwise hash algorithms and
|
||
their values.
|
||
|
||
Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for
|
||
other hashes by lowercasing the hash algorithm name and using underscore separators
|
||
as appropriate (snake case, e.g. sha3_512).
|
||
|
||
Note that this fieldset is used for common hashes that may be computed over
|
||
a range of generic bytes. Entity-specific hashes such as ja3 or imphash are
|
||
placed in the fieldsets to which they relate (tls and pe, respectively).'
|
||
type: group
|
||
fields:
|
||
- name: md5
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: MD5 hash.
|
||
- name: sha1
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA1 hash.
|
||
- name: sha256
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA256 hash.
|
||
- name: sha512
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA512 hash.
|
||
- name: ssdeep
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SSDEEP hash.
|
||
default_field: false
|
||
- name: host
|
||
title: Host
|
||
group: 2
|
||
description: 'A host is defined as a general computing instance.
|
||
|
||
ECS host.* fields should be populated with details about the host on which the
|
||
event happened, or from which the measurement was taken. Host types include
|
||
hardware, virtual machines, Docker containers, and Kubernetes nodes.'
|
||
type: group
|
||
fields:
|
||
- name: architecture
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Operating system architecture.
|
||
example: x86_64
|
||
- name: cpu.usage
|
||
level: extended
|
||
type: scaled_float
|
||
description: 'Percent CPU used which is normalized by the number of CPU cores
|
||
and it ranges from 0 to 1.
|
||
|
||
Scaling factor: 1000.
|
||
|
||
For example: For a two core host, this value should be the average of the
|
||
two cores, between 0 and 1.'
|
||
scaling_factor: 1000
|
||
default_field: false
|
||
- name: disk.read.bytes
|
||
level: extended
|
||
type: long
|
||
description: The total number of bytes (gauge) read successfully (aggregated
|
||
from all disks) since the last metric collection.
|
||
default_field: false
|
||
- name: disk.write.bytes
|
||
level: extended
|
||
type: long
|
||
description: The total number of bytes (gauge) written successfully (aggregated
|
||
from all disks) since the last metric collection.
|
||
default_field: false
|
||
- name: domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the domain of which the host is a member.
|
||
|
||
For example, on Windows this could be the host''s Active Directory domain
|
||
or NetBIOS domain name. For Linux this could be the domain of the host''s
|
||
LDAP provider.'
|
||
example: CONTOSO
|
||
default_field: false
|
||
- name: geo.city_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: City name.
|
||
example: Montreal
|
||
- name: geo.continent_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Two-letter code representing continent's name.
|
||
example: NA
|
||
default_field: false
|
||
- name: geo.continent_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the continent.
|
||
example: North America
|
||
- name: geo.country_iso_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Country ISO code.
|
||
example: CA
|
||
- name: geo.country_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Country name.
|
||
example: Canada
|
||
- name: geo.location
|
||
level: core
|
||
type: geo_point
|
||
description: Longitude and latitude.
|
||
example: '{ "lon": -73.614830, "lat": 45.505918 }'
|
||
- name: geo.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'User-defined description of a location, at the level of granularity
|
||
they care about.
|
||
|
||
Could be the name of their data centers, the floor number, if this describes
|
||
a local physical entity, city names.
|
||
|
||
Not typically used in automated geolocation.'
|
||
example: boston-dc
|
||
- name: geo.postal_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Postal code associated with the location.
|
||
|
||
Values appropriate for this field may also be known as a postcode or ZIP code
|
||
and will vary widely from country to country.'
|
||
example: 94040
|
||
default_field: false
|
||
- name: geo.region_iso_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Region ISO code.
|
||
example: CA-QC
|
||
- name: geo.region_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Region name.
|
||
example: Quebec
|
||
- name: geo.timezone
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The time zone of the location, such as IANA time zone name.
|
||
example: America/Argentina/Buenos_Aires
|
||
default_field: false
|
||
- name: hostname
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Hostname of the host.
|
||
|
||
It normally contains what the `hostname` command returns on the host machine.'
|
||
- name: id
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Unique host id.
|
||
|
||
As hostname is not always unique, use values that are meaningful in your environment.
|
||
|
||
Example: The current usage of `beat.name`.'
|
||
- name: ip
|
||
level: core
|
||
type: ip
|
||
description: Host ip addresses.
|
||
- name: mac
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Host MAC addresses.
|
||
|
||
The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
|
||
byte) is represented by two [uppercase] hexadecimal digits giving the value
|
||
of the octet as an unsigned integer. Successive octets are separated by a
|
||
hyphen.'
|
||
example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
|
||
- name: name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the host.
|
||
|
||
It can contain what `hostname` returns on Unix systems, the fully qualified
|
||
domain name, or a name specified by the user. The sender decides which value
|
||
to use.'
|
||
- name: network.egress.bytes
|
||
level: extended
|
||
type: long
|
||
description: The number of bytes (gauge) sent out on all network interfaces
|
||
by the host since the last metric collection.
|
||
default_field: false
|
||
- name: network.egress.packets
|
||
level: extended
|
||
type: long
|
||
description: The number of packets (gauge) sent out on all network interfaces
|
||
by the host since the last metric collection.
|
||
default_field: false
|
||
- name: network.ingress.bytes
|
||
level: extended
|
||
type: long
|
||
description: The number of bytes received (gauge) on all network interfaces
|
||
by the host since the last metric collection.
|
||
default_field: false
|
||
- name: network.ingress.packets
|
||
level: extended
|
||
type: long
|
||
description: The number of packets (gauge) received on all network interfaces
|
||
by the host since the last metric collection.
|
||
default_field: false
|
||
- name: os.family
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: OS family (such as redhat, debian, freebsd, windows).
|
||
example: debian
|
||
- name: os.full
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Operating system name, including the version or code name.
|
||
example: Mac OS Mojave
|
||
- name: os.kernel
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Operating system kernel version as a raw string.
|
||
example: 4.4.0-112-generic
|
||
- name: os.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Operating system name, without the version.
|
||
example: Mac OS X
|
||
- name: os.platform
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Operating system platform (such centos, ubuntu, windows).
|
||
example: darwin
|
||
- name: os.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Use the `os.type` field to categorize the operating system into
|
||
one of the broad commercial families.
|
||
|
||
One of these following values should be used (lowercase): linux, macos, unix,
|
||
windows.
|
||
|
||
If the OS you''re dealing with is not in the list, the field should not be
|
||
populated. Please let us know by opening an issue with ECS, to propose its
|
||
addition.'
|
||
example: macos
|
||
default_field: false
|
||
- name: os.version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Operating system version as a raw string.
|
||
example: 10.14.1
|
||
- name: type
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Type of host.
|
||
|
||
For Cloud providers this can be the machine type like `t2.medium`. If vm,
|
||
this could be the container, for example, or other information meaningful
|
||
in your environment.'
|
||
- name: uptime
|
||
level: extended
|
||
type: long
|
||
description: Seconds the host has been up.
|
||
example: 1325
|
||
- name: user.domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the directory the user is a member of.
|
||
|
||
For example, an LDAP or Active Directory domain name.'
|
||
- name: user.email
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: User email address.
|
||
- name: user.full_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: User's full name, if available.
|
||
example: Albert Einstein
|
||
- name: user.group.domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the directory the group is a member of.
|
||
|
||
For example, an LDAP or Active Directory domain name.'
|
||
- name: user.group.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier for the group on the system/platform.
|
||
- name: user.group.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the group.
|
||
- name: user.hash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Unique user hash to correlate information for a user in anonymized
|
||
form.
|
||
|
||
Useful if `user.id` or `user.name` contain confidential information and cannot
|
||
be used.'
|
||
- name: user.id
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier of the user.
|
||
example: S-1-5-21-202424912787-2692429404-2351956786-1000
|
||
- name: user.name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Short name or login of the user.
|
||
example: a.einstein
|
||
- name: user.roles
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Array of user roles at the time of the event.
|
||
example: '["kibana_admin", "reporting_user"]'
|
||
default_field: false
|
||
- name: http
|
||
title: HTTP
|
||
group: 2
|
||
description: Fields related to HTTP activity. Use the `url` field set to store
|
||
the url of the request.
|
||
type: group
|
||
fields:
|
||
- name: request.body.bytes
|
||
level: extended
|
||
type: long
|
||
format: bytes
|
||
description: Size in bytes of the request body.
|
||
example: 887
|
||
- name: request.body.content
|
||
level: extended
|
||
type: wildcard
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: The full HTTP request body.
|
||
example: Hello world
|
||
- name: request.bytes
|
||
level: extended
|
||
type: long
|
||
format: bytes
|
||
description: Total size in bytes of the request (body and headers).
|
||
example: 1437
|
||
- name: request.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'A unique identifier for each HTTP request to correlate logs between
|
||
clients and servers in transactions.
|
||
|
||
The id may be contained in a non-standard HTTP header, such as `X-Request-ID`
|
||
or `X-Correlation-ID`.'
|
||
example: 123e4567-e89b-12d3-a456-426614174000
|
||
default_field: false
|
||
- name: request.method
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'HTTP request method.
|
||
|
||
Prior to ECS 1.6.0 the following guidance was provided:
|
||
|
||
"The field value must be normalized to lowercase for querying."
|
||
|
||
As of ECS 1.6.0, the guidance is deprecated because the original case of the
|
||
method may be useful in anomaly detection. Original case will be mandated
|
||
in ECS 2.0.0'
|
||
example: GET, POST, PUT, PoST
|
||
- name: request.mime_type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Mime type of the body of the request.
|
||
|
||
This value must only be populated based on the content of the request body,
|
||
not on the `Content-Type` header. Comparing the mime type of a request with
|
||
the request''s Content-Type header can be helpful in detecting threats or
|
||
misconfigured clients.'
|
||
example: image/gif
|
||
default_field: false
|
||
- name: request.referrer
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Referrer for this HTTP request.
|
||
example: https://blog.example.com/
|
||
- name: response.body.bytes
|
||
level: extended
|
||
type: long
|
||
format: bytes
|
||
description: Size in bytes of the response body.
|
||
example: 887
|
||
- name: response.body.content
|
||
level: extended
|
||
type: wildcard
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: The full HTTP response body.
|
||
example: Hello world
|
||
- name: response.bytes
|
||
level: extended
|
||
type: long
|
||
format: bytes
|
||
description: Total size in bytes of the response (body and headers).
|
||
example: 1437
|
||
- name: response.mime_type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Mime type of the body of the response.
|
||
|
||
This value must only be populated based on the content of the response body,
|
||
not on the `Content-Type` header. Comparing the mime type of a response with
|
||
the response''s Content-Type header can be helpful in detecting misconfigured
|
||
servers.'
|
||
example: image/gif
|
||
default_field: false
|
||
- name: response.status_code
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: HTTP response status code.
|
||
example: 404
|
||
- name: version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: HTTP version.
|
||
example: 1.1
|
||
- name: interface
|
||
title: Interface
|
||
group: 2
|
||
description: The interface fields are used to record ingress and egress interface
|
||
information when reported by an observer (e.g. firewall, router, load balancer)
|
||
in the context of the observer handling a network connection. In the case of
|
||
a single observer interface (e.g. network sensor on a span port) only the observer.ingress
|
||
information should be populated.
|
||
type: group
|
||
fields:
|
||
- name: alias
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Interface alias as reported by the system, typically used in firewall
|
||
implementations for e.g. inside, outside, or dmz logical interface naming.
|
||
example: outside
|
||
default_field: false
|
||
- name: id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Interface ID as reported by an observer (typically SNMP interface
|
||
ID).
|
||
example: 10
|
||
default_field: false
|
||
- name: name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Interface name as reported by the system.
|
||
example: eth0
|
||
default_field: false
|
||
- name: log
|
||
title: Log
|
||
group: 2
|
||
description: 'Details about the event''s logging mechanism or logging transport.
|
||
|
||
The log.* fields are typically populated with details about the logging mechanism
|
||
used to create and/or transport the event. For example, syslog details belong
|
||
under `log.syslog.*`.
|
||
|
||
The details specific to your event source are typically not logged under `log.*`,
|
||
but rather in `event.*` or in other ECS fields.'
|
||
type: group
|
||
fields:
|
||
- name: file.path
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Full path to the log file this event came from, including the
|
||
file name. It should include the drive letter, when appropriate.
|
||
|
||
If the event wasn''t read from a log file, do not populate this field.'
|
||
example: /var/log/fun-times.log
|
||
default_field: false
|
||
- name: level
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Original log level of the log event.
|
||
|
||
If the source of the event provides a log level or textual severity, this
|
||
is the one that goes in `log.level`. If your source doesn''t specify one,
|
||
you may put your event transport''s severity here (e.g. Syslog severity).
|
||
|
||
Some examples are `warn`, `err`, `i`, `informational`.'
|
||
example: error
|
||
- name: logger
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The name of the logger inside an application. This is usually the
|
||
name of the class which initialized the logger, or can be a custom name.
|
||
example: org.elasticsearch.bootstrap.Bootstrap
|
||
- name: origin.file.line
|
||
level: extended
|
||
type: integer
|
||
description: The line number of the file containing the source code which originated
|
||
the log event.
|
||
example: 42
|
||
- name: origin.file.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The name of the file containing the source code which originated
|
||
the log event.
|
||
|
||
Note that this field is not meant to capture the log file. The correct field
|
||
to capture the log file is `log.file.path`.'
|
||
example: Bootstrap.java
|
||
- name: origin.function
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The name of the function or method which originated the log event.
|
||
example: init
|
||
- name: original
|
||
level: core
|
||
type: keyword
|
||
description: 'Deprecated for removal in next major version release. This field
|
||
is superseded by `event.original`.
|
||
|
||
This is the original log message and contains the full log message before
|
||
splitting it up in multiple parts.
|
||
|
||
In contrast to the `message` field which can contain an extracted part of
|
||
the log message, this field contains the original, full log message. It can
|
||
have already some modifications applied like encoding or new lines removed
|
||
to clean up the log message.
|
||
|
||
This field is not indexed and doc_values are disabled so it can''t be queried
|
||
but the value can be retrieved from `_source`.'
|
||
example: Sep 19 08:26:10 localhost My log
|
||
index: false
|
||
doc_values: false
|
||
- name: syslog
|
||
level: extended
|
||
type: object
|
||
description: The Syslog metadata of the event, if the event was transmitted
|
||
via Syslog. Please see RFCs 5424 or 3164.
|
||
- name: syslog.facility.code
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: 'The Syslog numeric facility of the log event, if available.
|
||
|
||
According to RFCs 5424 and 3164, this value should be an integer between 0
|
||
and 23.'
|
||
example: 23
|
||
- name: syslog.facility.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The Syslog text-based facility of the log event, if available.
|
||
example: local7
|
||
- name: syslog.priority
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: 'Syslog numeric priority of the event, if available.
|
||
|
||
According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
|
||
This number is therefore expected to contain a value between 0 and 191.'
|
||
example: 135
|
||
- name: syslog.severity.code
|
||
level: extended
|
||
type: long
|
||
description: 'The Syslog numeric severity of the log event, if available.
|
||
|
||
If the event source publishing via Syslog provides a different numeric severity
|
||
value (e.g. firewall, IDS), your source''s numeric severity should go to `event.severity`.
|
||
If the event source does not specify a distinct severity, you can optionally
|
||
copy the Syslog severity to `event.severity`.'
|
||
example: 3
|
||
- name: syslog.severity.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The Syslog numeric severity of the log event, if available.
|
||
|
||
If the event source publishing via Syslog provides a different severity value
|
||
(e.g. firewall, IDS), your source''s text severity should go to `log.level`.
|
||
If the event source does not specify a distinct severity, you can optionally
|
||
copy the Syslog severity to `log.level`.'
|
||
example: Error
|
||
- name: network
|
||
title: Network
|
||
group: 2
|
||
description: 'The network is defined as the communication path over which a host
|
||
or network event happens.
|
||
|
||
The network.* fields should be populated with details about the network activity
|
||
associated with an event.'
|
||
type: group
|
||
fields:
|
||
- name: application
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'A name given to an application level protocol. This can be arbitrarily
|
||
assigned for things like microservices, but also apply to things like skype,
|
||
icq, facebook, twitter. This would be used in situations where the vendor
|
||
or service can be decoded such as from the source/dest IP owners, ports, or
|
||
wire format.
|
||
|
||
The field value must be normalized to lowercase for querying. See the documentation
|
||
section "Implementing ECS".'
|
||
example: aim
|
||
- name: bytes
|
||
level: core
|
||
type: long
|
||
format: bytes
|
||
description: 'Total bytes transferred in both directions.
|
||
|
||
If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
|
||
sum.'
|
||
example: 368
|
||
- name: community_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'A hash of source and destination IPs and ports, as well as the
|
||
protocol used in a communication. This is a tool-agnostic standard to identify
|
||
flows.
|
||
|
||
Learn more at https://github.com/corelight/community-id-spec.'
|
||
example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
|
||
- name: direction
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "Direction of the network traffic.\nRecommended values are:\n \
|
||
\ * ingress\n * egress\n * inbound\n * outbound\n * internal\n * external\n\
|
||
\ * unknown\n\nWhen mapping events from a host-based monitoring context,\
|
||
\ populate this field from the host's point of view, using the values \"ingress\"\
|
||
\ or \"egress\".\nWhen mapping events from a network or perimeter-based monitoring\
|
||
\ context, populate this field from the point of view of the network perimeter,\
|
||
\ using the values \"inbound\", \"outbound\", \"internal\" or \"external\"\
|
||
.\nNote that \"internal\" is not crossing perimeter boundaries, and is meant\
|
||
\ to describe communication between two hosts within the perimeter. Note also\
|
||
\ that \"external\" is meant to describe traffic between two hosts that are\
|
||
\ external to the perimeter. This could for example be useful for ISPs or\
|
||
\ VPN service providers."
|
||
example: inbound
|
||
- name: forwarded_ip
|
||
level: core
|
||
type: ip
|
||
description: Host IP address when the source IP address is the proxy.
|
||
example: 192.1.1.2
|
||
- name: iana_number
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml).
|
||
Standardized list of protocols. This aligns well with NetFlow and sFlow related
|
||
logs which use the IANA Protocol Number.
|
||
example: 6
|
||
- name: inner
|
||
level: extended
|
||
type: object
|
||
description: Network.inner fields are added in addition to network.vlan fields
|
||
to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed
|
||
fields include vlan.id and vlan.name. Inner vlan fields are typically used
|
||
when sending traffic with multiple 802.1q encapsulations to a network sensor
|
||
(e.g. Zeek, Wireshark.)
|
||
default_field: false
|
||
- name: inner.vlan.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: VLAN ID as reported by the observer.
|
||
example: 10
|
||
default_field: false
|
||
- name: inner.vlan.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Optional VLAN name as reported by the observer.
|
||
example: outside
|
||
default_field: false
|
||
- name: name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name given by operators to sections of their network.
|
||
example: Guest Wifi
|
||
- name: packets
|
||
level: core
|
||
type: long
|
||
description: 'Total packets transferred in both directions.
|
||
|
||
If `source.packets` and `destination.packets` are known, `network.packets`
|
||
is their sum.'
|
||
example: 24
|
||
- name: protocol
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
|
||
|
||
The field value must be normalized to lowercase for querying. See the documentation
|
||
section "Implementing ECS".'
|
||
example: http
|
||
- name: transport
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Same as network.iana_number, but instead using the Keyword name
|
||
of the transport layer (udp, tcp, ipv6-icmp, etc.)
|
||
|
||
The field value must be normalized to lowercase for querying. See the documentation
|
||
section "Implementing ECS".'
|
||
example: tcp
|
||
- name: type
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'In the OSI Model this would be the Network Layer. ipv4, ipv6,
|
||
ipsec, pim, etc
|
||
|
||
The field value must be normalized to lowercase for querying. See the documentation
|
||
section "Implementing ECS".'
|
||
example: ipv4
|
||
- name: vlan.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: VLAN ID as reported by the observer.
|
||
example: 10
|
||
default_field: false
|
||
- name: vlan.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Optional VLAN name as reported by the observer.
|
||
example: outside
|
||
default_field: false
|
||
- name: observer
|
||
title: Observer
|
||
group: 2
|
||
description: 'An observer is defined as a special network, security, or application
|
||
device used to detect, observe, or create network, security, or application-related
|
||
events and metrics.
|
||
|
||
This could be a custom hardware appliance or a server that has been configured
|
||
to run special network, security, or application software. Examples include
|
||
firewalls, web proxies, intrusion detection/prevention systems, network monitoring
|
||
sensors, web application firewalls, data loss prevention systems, and APM servers.
|
||
The observer.* fields shall be populated with details of the system, if any,
|
||
that detects, observes and/or creates a network, security, or application event
|
||
or metric. Message queues and ETL components used in processing events or metrics
|
||
are not considered observers in ECS.'
|
||
type: group
|
||
fields:
|
||
- name: egress
|
||
level: extended
|
||
type: object
|
||
description: Observer.egress holds information like interface number and name,
|
||
vlan, and zone information to classify egress traffic. Single armed monitoring
|
||
such as a network sensor on a span port should only use observer.ingress to
|
||
categorize traffic.
|
||
default_field: false
|
||
- name: egress.interface.alias
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Interface alias as reported by the system, typically used in firewall
|
||
implementations for e.g. inside, outside, or dmz logical interface naming.
|
||
example: outside
|
||
default_field: false
|
||
- name: egress.interface.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Interface ID as reported by an observer (typically SNMP interface
|
||
ID).
|
||
example: 10
|
||
default_field: false
|
||
- name: egress.interface.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Interface name as reported by the system.
|
||
example: eth0
|
||
default_field: false
|
||
- name: egress.vlan.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: VLAN ID as reported by the observer.
|
||
example: 10
|
||
default_field: false
|
||
- name: egress.vlan.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Optional VLAN name as reported by the observer.
|
||
example: outside
|
||
default_field: false
|
||
- name: egress.zone
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Network zone of outbound traffic as reported by the observer to
|
||
categorize the destination area of egress traffic, e.g. Internal, External,
|
||
DMZ, HR, Legal, etc.
|
||
example: Public_Internet
|
||
default_field: false
|
||
- name: geo.city_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: City name.
|
||
example: Montreal
|
||
- name: geo.continent_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Two-letter code representing continent's name.
|
||
example: NA
|
||
default_field: false
|
||
- name: geo.continent_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the continent.
|
||
example: North America
|
||
- name: geo.country_iso_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Country ISO code.
|
||
example: CA
|
||
- name: geo.country_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Country name.
|
||
example: Canada
|
||
- name: geo.location
|
||
level: core
|
||
type: geo_point
|
||
description: Longitude and latitude.
|
||
example: '{ "lon": -73.614830, "lat": 45.505918 }'
|
||
- name: geo.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'User-defined description of a location, at the level of granularity
|
||
they care about.
|
||
|
||
Could be the name of their data centers, the floor number, if this describes
|
||
a local physical entity, city names.
|
||
|
||
Not typically used in automated geolocation.'
|
||
example: boston-dc
|
||
- name: geo.postal_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Postal code associated with the location.
|
||
|
||
Values appropriate for this field may also be known as a postcode or ZIP code
|
||
and will vary widely from country to country.'
|
||
example: 94040
|
||
default_field: false
|
||
- name: geo.region_iso_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Region ISO code.
|
||
example: CA-QC
|
||
- name: geo.region_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Region name.
|
||
example: Quebec
|
||
- name: geo.timezone
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The time zone of the location, such as IANA time zone name.
|
||
example: America/Argentina/Buenos_Aires
|
||
default_field: false
|
||
- name: hostname
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Hostname of the observer.
|
||
- name: ingress
|
||
level: extended
|
||
type: object
|
||
description: Observer.ingress holds information like interface number and name,
|
||
vlan, and zone information to classify ingress traffic. Single armed monitoring
|
||
such as a network sensor on a span port should only use observer.ingress to
|
||
categorize traffic.
|
||
default_field: false
|
||
- name: ingress.interface.alias
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Interface alias as reported by the system, typically used in firewall
|
||
implementations for e.g. inside, outside, or dmz logical interface naming.
|
||
example: outside
|
||
default_field: false
|
||
- name: ingress.interface.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Interface ID as reported by an observer (typically SNMP interface
|
||
ID).
|
||
example: 10
|
||
default_field: false
|
||
- name: ingress.interface.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Interface name as reported by the system.
|
||
example: eth0
|
||
default_field: false
|
||
- name: ingress.vlan.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: VLAN ID as reported by the observer.
|
||
example: 10
|
||
default_field: false
|
||
- name: ingress.vlan.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Optional VLAN name as reported by the observer.
|
||
example: outside
|
||
default_field: false
|
||
- name: ingress.zone
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Network zone of incoming traffic as reported by the observer to
|
||
categorize the source area of ingress traffic. e.g. internal, External, DMZ,
|
||
HR, Legal, etc.
|
||
example: DMZ
|
||
default_field: false
|
||
- name: ip
|
||
level: core
|
||
type: ip
|
||
description: IP addresses of the observer.
|
||
- name: mac
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'MAC addresses of the observer.
|
||
|
||
The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
|
||
byte) is represented by two [uppercase] hexadecimal digits giving the value
|
||
of the octet as an unsigned integer. Successive octets are separated by a
|
||
hyphen.'
|
||
example: '["00-00-5E-00-53-23", "00-00-5E-00-53-24"]'
|
||
- name: name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Custom name of the observer.
|
||
|
||
This is a name that can be given to an observer. This can be helpful for example
|
||
if multiple firewalls of the same model are used in an organization.
|
||
|
||
If no custom name is needed, the field can be left empty.'
|
||
example: 1_proxySG
|
||
- name: os.family
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: OS family (such as redhat, debian, freebsd, windows).
|
||
example: debian
|
||
- name: os.full
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Operating system name, including the version or code name.
|
||
example: Mac OS Mojave
|
||
- name: os.kernel
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Operating system kernel version as a raw string.
|
||
example: 4.4.0-112-generic
|
||
- name: os.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Operating system name, without the version.
|
||
example: Mac OS X
|
||
- name: os.platform
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Operating system platform (such centos, ubuntu, windows).
|
||
example: darwin
|
||
- name: os.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Use the `os.type` field to categorize the operating system into
|
||
one of the broad commercial families.
|
||
|
||
One of these following values should be used (lowercase): linux, macos, unix,
|
||
windows.
|
||
|
||
If the OS you''re dealing with is not in the list, the field should not be
|
||
populated. Please let us know by opening an issue with ECS, to propose its
|
||
addition.'
|
||
example: macos
|
||
default_field: false
|
||
- name: os.version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Operating system version as a raw string.
|
||
example: 10.14.1
|
||
- name: product
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The product name of the observer.
|
||
example: s200
|
||
- name: serial_number
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Observer serial number.
|
||
- name: type
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The type of the observer the data is coming from.
|
||
|
||
There is no predefined list of observer types. Some examples are `forwarder`,
|
||
`firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.'
|
||
example: firewall
|
||
- name: vendor
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Vendor name of the observer.
|
||
example: Symantec
|
||
- name: version
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Observer version.
|
||
- name: orchestrator
|
||
title: Orchestrator
|
||
group: 2
|
||
description: Fields that describe the resources which container orchestrators
|
||
manage or act upon.
|
||
type: group
|
||
fields:
|
||
- name: api_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: API version being used to carry out the action
|
||
example: v1beta1
|
||
default_field: false
|
||
- name: cluster.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the cluster.
|
||
default_field: false
|
||
- name: cluster.url
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: URL of the API used to manage the cluster.
|
||
default_field: false
|
||
- name: cluster.version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The version of the cluster.
|
||
default_field: false
|
||
- name: namespace
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Namespace in which the action is taking place.
|
||
example: kube-system
|
||
default_field: false
|
||
- name: organization
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Organization affected by the event (for multi-tenant orchestrator
|
||
setups).
|
||
example: elastic
|
||
default_field: false
|
||
- name: resource.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the resource being acted upon.
|
||
example: test-pod-cdcws
|
||
default_field: false
|
||
- name: resource.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Type of resource being acted upon.
|
||
example: service
|
||
default_field: false
|
||
- name: type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
|
||
example: kubernetes
|
||
default_field: false
|
||
- name: organization
|
||
title: Organization
|
||
group: 2
|
||
description: 'The organization fields enrich data with information about the company
|
||
or entity the data is associated with.
|
||
|
||
These fields help you arrange or filter data stored in an index by one or multiple
|
||
organizations.'
|
||
type: group
|
||
fields:
|
||
- name: id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier for the organization.
|
||
- name: name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Organization name.
|
||
- name: os
|
||
title: Operating System
|
||
group: 2
|
||
description: The OS fields contain information about the operating system.
|
||
type: group
|
||
fields:
|
||
- name: family
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: OS family (such as redhat, debian, freebsd, windows).
|
||
example: debian
|
||
- name: full
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Operating system name, including the version or code name.
|
||
example: Mac OS Mojave
|
||
- name: kernel
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Operating system kernel version as a raw string.
|
||
example: 4.4.0-112-generic
|
||
- name: name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Operating system name, without the version.
|
||
example: Mac OS X
|
||
- name: platform
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Operating system platform (such centos, ubuntu, windows).
|
||
example: darwin
|
||
- name: type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Use the `os.type` field to categorize the operating system into
|
||
one of the broad commercial families.
|
||
|
||
One of these following values should be used (lowercase): linux, macos, unix,
|
||
windows.
|
||
|
||
If the OS you''re dealing with is not in the list, the field should not be
|
||
populated. Please let us know by opening an issue with ECS, to propose its
|
||
addition.'
|
||
example: macos
|
||
default_field: false
|
||
- name: version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Operating system version as a raw string.
|
||
example: 10.14.1
|
||
- name: package
|
||
title: Package
|
||
group: 2
|
||
description: These fields contain information about an installed software package.
|
||
It contains general information about a package, such as name, version or size.
|
||
It also contains installation details, such as time or location.
|
||
type: group
|
||
fields:
|
||
- name: architecture
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Package architecture.
|
||
example: x86_64
|
||
- name: build_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Additional information about the build version of the installed
|
||
package.
|
||
|
||
For example use the commit SHA of a non-released package.'
|
||
example: 36f4f7e89dd61b0988b12ee000b98966867710cd
|
||
default_field: false
|
||
- name: checksum
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Checksum of the installed package for verification.
|
||
example: 68b329da9893e34099c7d8ad5cb9c940
|
||
- name: description
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Description of the package.
|
||
example: Open source programming language to build simple/reliable/efficient
|
||
software.
|
||
- name: install_scope
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Indicating how the package was installed, e.g. user-local, global.
|
||
example: global
|
||
- name: installed
|
||
level: extended
|
||
type: date
|
||
description: Time when package was installed.
|
||
- name: license
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'License under which the package was released.
|
||
|
||
Use a short name, e.g. the license identifier from SPDX License List where
|
||
possible (https://spdx.org/licenses/).'
|
||
example: Apache License 2.0
|
||
- name: name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Package name
|
||
example: go
|
||
- name: path
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Path where the package is installed.
|
||
example: /usr/local/Cellar/go/1.12.9/
|
||
- name: reference
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Home page or reference URL of the software in this package, if
|
||
available.
|
||
example: https://golang.org
|
||
default_field: false
|
||
- name: size
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: Package size in bytes.
|
||
example: 62231
|
||
- name: type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Type of package.
|
||
|
||
This should contain the package file type, rather than the package manager
|
||
name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar.'
|
||
example: rpm
|
||
default_field: false
|
||
- name: version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Package version
|
||
example: 1.12.9
|
||
- name: pe
|
||
title: PE Header
|
||
group: 2
|
||
description: These fields contain Windows Portable Executable (PE) metadata.
|
||
type: group
|
||
fields:
|
||
- name: architecture
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: CPU architecture target for the file.
|
||
example: x64
|
||
default_field: false
|
||
- name: company
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal company name of the file, provided at compile-time.
|
||
example: Microsoft Corporation
|
||
default_field: false
|
||
- name: description
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal description of the file, provided at compile-time.
|
||
example: Paint
|
||
default_field: false
|
||
- name: file_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal version of the file, provided at compile-time.
|
||
example: 6.3.9600.17415
|
||
default_field: false
|
||
- name: imphash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'A hash of the imports in a PE file. An imphash -- or import hash
|
||
-- can be used to fingerprint binaries even after recompilation or other code-level
|
||
transformations have occurred, which would change more traditional hash values.
|
||
|
||
Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
|
||
example: 0c6803c4e922103c4dca5963aad36ddf
|
||
default_field: false
|
||
- name: original_file_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal name of the file, provided at compile-time.
|
||
example: MSPAINT.EXE
|
||
default_field: false
|
||
- name: product
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal product name of the file, provided at compile-time.
|
||
example: "Microsoft\xAE Windows\xAE Operating System"
|
||
default_field: false
|
||
- name: process
|
||
title: Process
|
||
group: 2
|
||
description: 'These fields contain information about a process.
|
||
|
||
These fields can help you correlate metrics information with a process id/name
|
||
from a log message. The `process.pid` often stays in the metric itself and
|
||
is copied to the global field for correlation.'
|
||
type: group
|
||
fields:
|
||
- name: args
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Array of process arguments, starting with the absolute path to
|
||
the executable.
|
||
|
||
May be filtered to protect sensitive information.'
|
||
example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
|
||
- name: args_count
|
||
level: extended
|
||
type: long
|
||
description: 'Length of the process.args array.
|
||
|
||
This field can be useful for querying or performing bucket analysis on how
|
||
many arguments were provided to start a process. More arguments may be an
|
||
indication of suspicious activity.'
|
||
example: 4
|
||
default_field: false
|
||
- name: code_signature.digest_algorithm
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The hashing algorithm used to sign the process.
|
||
|
||
This value can distinguish signatures when a file is signed multiple times
|
||
by the same signer but with a different digest algorithm.'
|
||
example: sha256
|
||
default_field: false
|
||
- name: code_signature.exists
|
||
level: core
|
||
type: boolean
|
||
description: Boolean to capture if a signature is present.
|
||
example: 'true'
|
||
default_field: false
|
||
- name: code_signature.signing_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The identifier used to sign the process.
|
||
|
||
This is used to identify the application manufactured by a software vendor.
|
||
The field is relevant to Apple *OS only.'
|
||
example: com.apple.xpc.proxy
|
||
default_field: false
|
||
- name: code_signature.status
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Additional information about the certificate status.
|
||
|
||
This is useful for logging cryptographic errors with the certificate validity
|
||
or trust status. Leave unpopulated if the validity or trust of the certificate
|
||
was unchecked.'
|
||
example: ERROR_UNTRUSTED_ROOT
|
||
default_field: false
|
||
- name: code_signature.subject_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Subject name of the code signer
|
||
example: Microsoft Corporation
|
||
default_field: false
|
||
- name: code_signature.team_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The team identifier used to sign the process.
|
||
|
||
This is used to identify the team or vendor of a software product. The field
|
||
is relevant to Apple *OS only.'
|
||
example: EQHXZ8M8AV
|
||
default_field: false
|
||
- name: code_signature.timestamp
|
||
level: extended
|
||
type: date
|
||
description: Date and time when the code signature was generated and signed.
|
||
example: '2021-01-01T12:10:30Z'
|
||
default_field: false
|
||
- name: code_signature.trusted
|
||
level: extended
|
||
type: boolean
|
||
description: 'Stores the trust status of the certificate chain.
|
||
|
||
Validating the trust of the certificate chain may be complicated, and this
|
||
field should only be populated by tools that actively check the status.'
|
||
example: 'true'
|
||
default_field: false
|
||
- name: code_signature.valid
|
||
level: extended
|
||
type: boolean
|
||
description: 'Boolean to capture if the digital signature is verified against
|
||
the binary content.
|
||
|
||
Leave unpopulated if a certificate was unchecked.'
|
||
example: 'true'
|
||
default_field: false
|
||
- name: command_line
|
||
level: extended
|
||
type: wildcard
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: 'Full command line that started the process, including the absolute
|
||
path to the executable, and all arguments.
|
||
|
||
Some arguments may be filtered to protect sensitive information.'
|
||
example: /usr/bin/ssh -l user 10.0.0.16
|
||
default_field: false
|
||
- name: elf.architecture
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Machine architecture of the ELF file.
|
||
example: x86-64
|
||
default_field: false
|
||
- name: elf.byte_order
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Byte sequence of ELF file.
|
||
example: Little Endian
|
||
default_field: false
|
||
- name: elf.cpu_type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: CPU type of the ELF file.
|
||
example: Intel
|
||
default_field: false
|
||
- name: elf.creation_date
|
||
level: extended
|
||
type: date
|
||
description: Extracted when possible from the file's metadata. Indicates when
|
||
it was built or compiled. It can also be faked by malware creators.
|
||
default_field: false
|
||
- name: elf.exports
|
||
level: extended
|
||
type: flattened
|
||
description: List of exported element names and types.
|
||
default_field: false
|
||
- name: elf.header.abi_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of the ELF Application Binary Interface (ABI).
|
||
default_field: false
|
||
- name: elf.header.class
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Header class of the ELF file.
|
||
default_field: false
|
||
- name: elf.header.data
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Data table of the ELF header.
|
||
default_field: false
|
||
- name: elf.header.entrypoint
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: Header entrypoint of the ELF file.
|
||
default_field: false
|
||
- name: elf.header.object_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: '"0x1" for original ELF files.'
|
||
default_field: false
|
||
- name: elf.header.os_abi
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Application Binary Interface (ABI) of the Linux OS.
|
||
default_field: false
|
||
- name: elf.header.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Header type of the ELF file.
|
||
default_field: false
|
||
- name: elf.header.version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of the ELF header.
|
||
default_field: false
|
||
- name: elf.imports
|
||
level: extended
|
||
type: flattened
|
||
description: List of imported element names and types.
|
||
default_field: false
|
||
- name: elf.sections
|
||
level: extended
|
||
type: nested
|
||
description: 'An array containing an object for each section of the ELF file.
|
||
|
||
The keys that should be present in these objects are defined by sub-fields
|
||
underneath `elf.sections.*`.'
|
||
default_field: false
|
||
- name: elf.sections.chi2
|
||
level: extended
|
||
type: long
|
||
format: number
|
||
description: Chi-square probability distribution of the section.
|
||
default_field: false
|
||
- name: elf.sections.entropy
|
||
level: extended
|
||
type: long
|
||
format: number
|
||
description: Shannon entropy calculation from the section.
|
||
default_field: false
|
||
- name: elf.sections.flags
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List flags.
|
||
default_field: false
|
||
- name: elf.sections.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List name.
|
||
default_field: false
|
||
- name: elf.sections.physical_offset
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List offset.
|
||
default_field: false
|
||
- name: elf.sections.physical_size
|
||
level: extended
|
||
type: long
|
||
format: bytes
|
||
description: ELF Section List physical size.
|
||
default_field: false
|
||
- name: elf.sections.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List type.
|
||
default_field: false
|
||
- name: elf.sections.virtual_address
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: ELF Section List virtual address.
|
||
default_field: false
|
||
- name: elf.sections.virtual_size
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: ELF Section List virtual size.
|
||
default_field: false
|
||
- name: elf.segments
|
||
level: extended
|
||
type: nested
|
||
description: 'An array containing an object for each segment of the ELF file.
|
||
|
||
The keys that should be present in these objects are defined by sub-fields
|
||
underneath `elf.segments.*`.'
|
||
default_field: false
|
||
- name: elf.segments.sections
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF object segment sections.
|
||
default_field: false
|
||
- name: elf.segments.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF object segment type.
|
||
default_field: false
|
||
- name: elf.shared_libraries
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of shared libraries used by this ELF object.
|
||
default_field: false
|
||
- name: elf.telfhash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: telfhash symbol hash for ELF file.
|
||
default_field: false
|
||
- name: end
|
||
level: extended
|
||
type: date
|
||
description: The time the process ended.
|
||
example: '2016-05-23T08:05:34.853Z'
|
||
default_field: false
|
||
- name: entity_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Unique identifier for the process.
|
||
|
||
The implementation of this is specified by the data source, but some examples
|
||
of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
|
||
or a hash of some uniquely identifying components of a process.
|
||
|
||
Constructing a globally unique identifier is a common practice to mitigate
|
||
PID reuse as well as to identify a specific process over time, across multiple
|
||
monitored hosts.'
|
||
example: c2c455d9f99375d
|
||
default_field: false
|
||
- name: executable
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Absolute path to the process executable.
|
||
example: /usr/bin/ssh
|
||
- name: exit_code
|
||
level: extended
|
||
type: long
|
||
description: 'The exit code of the process, if this is a termination event.
|
||
|
||
The field should be absent if there is no exit code for the event (e.g. process
|
||
start).'
|
||
example: 137
|
||
default_field: false
|
||
- name: hash.md5
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: MD5 hash.
|
||
- name: hash.sha1
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA1 hash.
|
||
- name: hash.sha256
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA256 hash.
|
||
- name: hash.sha512
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA512 hash.
|
||
- name: hash.ssdeep
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SSDEEP hash.
|
||
default_field: false
|
||
- name: name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: 'Process name.
|
||
|
||
Sometimes called program name or similar.'
|
||
example: ssh
|
||
- name: parent.args
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Array of process arguments, starting with the absolute path to
|
||
the executable.
|
||
|
||
May be filtered to protect sensitive information.'
|
||
example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]'
|
||
default_field: false
|
||
- name: parent.args_count
|
||
level: extended
|
||
type: long
|
||
description: 'Length of the process.args array.
|
||
|
||
This field can be useful for querying or performing bucket analysis on how
|
||
many arguments were provided to start a process. More arguments may be an
|
||
indication of suspicious activity.'
|
||
example: 4
|
||
default_field: false
|
||
- name: parent.code_signature.digest_algorithm
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The hashing algorithm used to sign the process.
|
||
|
||
This value can distinguish signatures when a file is signed multiple times
|
||
by the same signer but with a different digest algorithm.'
|
||
example: sha256
|
||
default_field: false
|
||
- name: parent.code_signature.exists
|
||
level: core
|
||
type: boolean
|
||
description: Boolean to capture if a signature is present.
|
||
example: 'true'
|
||
default_field: false
|
||
- name: parent.code_signature.signing_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The identifier used to sign the process.
|
||
|
||
This is used to identify the application manufactured by a software vendor.
|
||
The field is relevant to Apple *OS only.'
|
||
example: com.apple.xpc.proxy
|
||
default_field: false
|
||
- name: parent.code_signature.status
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Additional information about the certificate status.
|
||
|
||
This is useful for logging cryptographic errors with the certificate validity
|
||
or trust status. Leave unpopulated if the validity or trust of the certificate
|
||
was unchecked.'
|
||
example: ERROR_UNTRUSTED_ROOT
|
||
default_field: false
|
||
- name: parent.code_signature.subject_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Subject name of the code signer
|
||
example: Microsoft Corporation
|
||
default_field: false
|
||
- name: parent.code_signature.team_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The team identifier used to sign the process.
|
||
|
||
This is used to identify the team or vendor of a software product. The field
|
||
is relevant to Apple *OS only.'
|
||
example: EQHXZ8M8AV
|
||
default_field: false
|
||
- name: parent.code_signature.timestamp
|
||
level: extended
|
||
type: date
|
||
description: Date and time when the code signature was generated and signed.
|
||
example: '2021-01-01T12:10:30Z'
|
||
default_field: false
|
||
- name: parent.code_signature.trusted
|
||
level: extended
|
||
type: boolean
|
||
description: 'Stores the trust status of the certificate chain.
|
||
|
||
Validating the trust of the certificate chain may be complicated, and this
|
||
field should only be populated by tools that actively check the status.'
|
||
example: 'true'
|
||
default_field: false
|
||
- name: parent.code_signature.valid
|
||
level: extended
|
||
type: boolean
|
||
description: 'Boolean to capture if the digital signature is verified against
|
||
the binary content.
|
||
|
||
Leave unpopulated if a certificate was unchecked.'
|
||
example: 'true'
|
||
default_field: false
|
||
- name: parent.command_line
|
||
level: extended
|
||
type: wildcard
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: 'Full command line that started the process, including the absolute
|
||
path to the executable, and all arguments.
|
||
|
||
Some arguments may be filtered to protect sensitive information.'
|
||
example: /usr/bin/ssh -l user 10.0.0.16
|
||
default_field: false
|
||
- name: parent.elf.architecture
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Machine architecture of the ELF file.
|
||
example: x86-64
|
||
default_field: false
|
||
- name: parent.elf.byte_order
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Byte sequence of ELF file.
|
||
example: Little Endian
|
||
default_field: false
|
||
- name: parent.elf.cpu_type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: CPU type of the ELF file.
|
||
example: Intel
|
||
default_field: false
|
||
- name: parent.elf.creation_date
|
||
level: extended
|
||
type: date
|
||
description: Extracted when possible from the file's metadata. Indicates when
|
||
it was built or compiled. It can also be faked by malware creators.
|
||
default_field: false
|
||
- name: parent.elf.exports
|
||
level: extended
|
||
type: flattened
|
||
description: List of exported element names and types.
|
||
default_field: false
|
||
- name: parent.elf.header.abi_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of the ELF Application Binary Interface (ABI).
|
||
default_field: false
|
||
- name: parent.elf.header.class
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Header class of the ELF file.
|
||
default_field: false
|
||
- name: parent.elf.header.data
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Data table of the ELF header.
|
||
default_field: false
|
||
- name: parent.elf.header.entrypoint
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: Header entrypoint of the ELF file.
|
||
default_field: false
|
||
- name: parent.elf.header.object_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: '"0x1" for original ELF files.'
|
||
default_field: false
|
||
- name: parent.elf.header.os_abi
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Application Binary Interface (ABI) of the Linux OS.
|
||
default_field: false
|
||
- name: parent.elf.header.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Header type of the ELF file.
|
||
default_field: false
|
||
- name: parent.elf.header.version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of the ELF header.
|
||
default_field: false
|
||
- name: parent.elf.imports
|
||
level: extended
|
||
type: flattened
|
||
description: List of imported element names and types.
|
||
default_field: false
|
||
- name: parent.elf.sections
|
||
level: extended
|
||
type: nested
|
||
description: 'An array containing an object for each section of the ELF file.
|
||
|
||
The keys that should be present in these objects are defined by sub-fields
|
||
underneath `elf.sections.*`.'
|
||
default_field: false
|
||
- name: parent.elf.sections.chi2
|
||
level: extended
|
||
type: long
|
||
format: number
|
||
description: Chi-square probability distribution of the section.
|
||
default_field: false
|
||
- name: parent.elf.sections.entropy
|
||
level: extended
|
||
type: long
|
||
format: number
|
||
description: Shannon entropy calculation from the section.
|
||
default_field: false
|
||
- name: parent.elf.sections.flags
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List flags.
|
||
default_field: false
|
||
- name: parent.elf.sections.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List name.
|
||
default_field: false
|
||
- name: parent.elf.sections.physical_offset
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List offset.
|
||
default_field: false
|
||
- name: parent.elf.sections.physical_size
|
||
level: extended
|
||
type: long
|
||
format: bytes
|
||
description: ELF Section List physical size.
|
||
default_field: false
|
||
- name: parent.elf.sections.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List type.
|
||
default_field: false
|
||
- name: parent.elf.sections.virtual_address
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: ELF Section List virtual address.
|
||
default_field: false
|
||
- name: parent.elf.sections.virtual_size
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: ELF Section List virtual size.
|
||
default_field: false
|
||
- name: parent.elf.segments
|
||
level: extended
|
||
type: nested
|
||
description: 'An array containing an object for each segment of the ELF file.
|
||
|
||
The keys that should be present in these objects are defined by sub-fields
|
||
underneath `elf.segments.*`.'
|
||
default_field: false
|
||
- name: parent.elf.segments.sections
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF object segment sections.
|
||
default_field: false
|
||
- name: parent.elf.segments.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF object segment type.
|
||
default_field: false
|
||
- name: parent.elf.shared_libraries
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of shared libraries used by this ELF object.
|
||
default_field: false
|
||
- name: parent.elf.telfhash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: telfhash symbol hash for ELF file.
|
||
default_field: false
|
||
- name: parent.end
|
||
level: extended
|
||
type: date
|
||
description: The time the process ended.
|
||
example: '2016-05-23T08:05:34.853Z'
|
||
default_field: false
|
||
- name: parent.entity_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Unique identifier for the process.
|
||
|
||
The implementation of this is specified by the data source, but some examples
|
||
of what could be used here are a process-generated UUID, Sysmon Process GUIDs,
|
||
or a hash of some uniquely identifying components of a process.
|
||
|
||
Constructing a globally unique identifier is a common practice to mitigate
|
||
PID reuse as well as to identify a specific process over time, across multiple
|
||
monitored hosts.'
|
||
example: c2c455d9f99375d
|
||
default_field: false
|
||
- name: parent.executable
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: Absolute path to the process executable.
|
||
example: /usr/bin/ssh
|
||
default_field: false
|
||
- name: parent.exit_code
|
||
level: extended
|
||
type: long
|
||
description: 'The exit code of the process, if this is a termination event.
|
||
|
||
The field should be absent if there is no exit code for the event (e.g. process
|
||
start).'
|
||
example: 137
|
||
default_field: false
|
||
- name: parent.hash.md5
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: MD5 hash.
|
||
default_field: false
|
||
- name: parent.hash.sha1
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA1 hash.
|
||
default_field: false
|
||
- name: parent.hash.sha256
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA256 hash.
|
||
default_field: false
|
||
- name: parent.hash.sha512
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA512 hash.
|
||
default_field: false
|
||
- name: parent.hash.ssdeep
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SSDEEP hash.
|
||
default_field: false
|
||
- name: parent.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: 'Process name.
|
||
|
||
Sometimes called program name or similar.'
|
||
example: ssh
|
||
default_field: false
|
||
- name: parent.pe.architecture
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: CPU architecture target for the file.
|
||
example: x64
|
||
default_field: false
|
||
- name: parent.pe.company
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal company name of the file, provided at compile-time.
|
||
example: Microsoft Corporation
|
||
default_field: false
|
||
- name: parent.pe.description
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal description of the file, provided at compile-time.
|
||
example: Paint
|
||
default_field: false
|
||
- name: parent.pe.file_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal version of the file, provided at compile-time.
|
||
example: 6.3.9600.17415
|
||
default_field: false
|
||
- name: parent.pe.imphash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'A hash of the imports in a PE file. An imphash -- or import hash
|
||
-- can be used to fingerprint binaries even after recompilation or other code-level
|
||
transformations have occurred, which would change more traditional hash values.
|
||
|
||
Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
|
||
example: 0c6803c4e922103c4dca5963aad36ddf
|
||
default_field: false
|
||
- name: parent.pe.original_file_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal name of the file, provided at compile-time.
|
||
example: MSPAINT.EXE
|
||
default_field: false
|
||
- name: parent.pe.product
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal product name of the file, provided at compile-time.
|
||
example: "Microsoft\xAE Windows\xAE Operating System"
|
||
default_field: false
|
||
- name: parent.pgid
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: Identifier of the group of processes the process belongs to.
|
||
default_field: false
|
||
- name: parent.pid
|
||
level: core
|
||
type: long
|
||
format: string
|
||
description: Process id.
|
||
example: 4242
|
||
default_field: false
|
||
- name: parent.ppid
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: Parent process' pid.
|
||
example: 4241
|
||
default_field: false
|
||
- name: parent.start
|
||
level: extended
|
||
type: date
|
||
description: The time the process started.
|
||
example: '2016-05-23T08:05:34.853Z'
|
||
default_field: false
|
||
- name: parent.thread.id
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: Thread ID.
|
||
example: 4242
|
||
default_field: false
|
||
- name: parent.thread.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Thread name.
|
||
example: thread-0
|
||
default_field: false
|
||
- name: parent.title
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: 'Process title.
|
||
|
||
The proctitle, some times the same as process name. Can also be different:
|
||
for example a browser setting its title to the web page currently opened.'
|
||
default_field: false
|
||
- name: parent.uptime
|
||
level: extended
|
||
type: long
|
||
description: Seconds the process has been up.
|
||
example: 1325
|
||
default_field: false
|
||
- name: parent.working_directory
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: The working directory of the process.
|
||
example: /home/alice
|
||
default_field: false
|
||
- name: pe.architecture
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: CPU architecture target for the file.
|
||
example: x64
|
||
default_field: false
|
||
- name: pe.company
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal company name of the file, provided at compile-time.
|
||
example: Microsoft Corporation
|
||
default_field: false
|
||
- name: pe.description
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal description of the file, provided at compile-time.
|
||
example: Paint
|
||
default_field: false
|
||
- name: pe.file_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal version of the file, provided at compile-time.
|
||
example: 6.3.9600.17415
|
||
default_field: false
|
||
- name: pe.imphash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'A hash of the imports in a PE file. An imphash -- or import hash
|
||
-- can be used to fingerprint binaries even after recompilation or other code-level
|
||
transformations have occurred, which would change more traditional hash values.
|
||
|
||
Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
|
||
example: 0c6803c4e922103c4dca5963aad36ddf
|
||
default_field: false
|
||
- name: pe.original_file_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal name of the file, provided at compile-time.
|
||
example: MSPAINT.EXE
|
||
default_field: false
|
||
- name: pe.product
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal product name of the file, provided at compile-time.
|
||
example: "Microsoft\xAE Windows\xAE Operating System"
|
||
default_field: false
|
||
- name: pgid
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: Identifier of the group of processes the process belongs to.
|
||
- name: pid
|
||
level: core
|
||
type: long
|
||
format: string
|
||
description: Process id.
|
||
example: 4242
|
||
- name: ppid
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: Parent process' pid.
|
||
example: 4241
|
||
- name: start
|
||
level: extended
|
||
type: date
|
||
description: The time the process started.
|
||
example: '2016-05-23T08:05:34.853Z'
|
||
- name: thread.id
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: Thread ID.
|
||
example: 4242
|
||
- name: thread.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Thread name.
|
||
example: thread-0
|
||
- name: title
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: 'Process title.
|
||
|
||
The proctitle, some times the same as process name. Can also be different:
|
||
for example a browser setting its title to the web page currently opened.'
|
||
- name: uptime
|
||
level: extended
|
||
type: long
|
||
description: Seconds the process has been up.
|
||
example: 1325
|
||
- name: working_directory
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: The working directory of the process.
|
||
example: /home/alice
|
||
- name: registry
|
||
title: Registry
|
||
group: 2
|
||
description: Fields related to Windows Registry operations.
|
||
type: group
|
||
fields:
|
||
- name: data.bytes
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Original bytes written with base64 encoding.
|
||
|
||
For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
|
||
corresponds to the data pointed by `lp_data`. This is optional but provides
|
||
better recoverability and should be populated for REG_BINARY encoded values.'
|
||
example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
|
||
default_field: false
|
||
- name: data.strings
|
||
level: core
|
||
type: wildcard
|
||
description: 'Content when writing string types.
|
||
|
||
Populated as an array when writing string data to the registry. For single
|
||
string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
|
||
one string. For sequences of string with REG_MULTI_SZ, this array will be
|
||
variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
|
||
be populated with the decimal representation (e.g `"1"`).'
|
||
example: '["C:\rta\red_ttp\bin\myapp.exe"]'
|
||
default_field: false
|
||
- name: data.type
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Standard registry type for encoding contents
|
||
example: REG_SZ
|
||
default_field: false
|
||
- name: hive
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Abbreviated name for the hive.
|
||
example: HKLM
|
||
default_field: false
|
||
- name: key
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Hive-relative path of keys.
|
||
example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
|
||
default_field: false
|
||
- name: path
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Full path, including hive, key and value
|
||
example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
|
||
Options\winword.exe\Debugger
|
||
default_field: false
|
||
- name: value
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the value written.
|
||
example: Debugger
|
||
default_field: false
|
||
- name: related
|
||
title: Related
|
||
group: 2
|
||
description: 'This field set is meant to facilitate pivoting around a piece of
|
||
data.
|
||
|
||
Some pieces of information can be seen in many places in an ECS event. To facilitate
|
||
searching for them, store an array of all seen values to their corresponding
|
||
field in `related.`.
|
||
|
||
A concrete example is IP addresses, which can be under host, observer, source,
|
||
destination, client, server, and network.forwarded_ip. If you append all IPs
|
||
to `related.ip`, you can then search for a given IP trivially, no matter where
|
||
it appeared, by querying `related.ip:192.0.2.15`.'
|
||
type: group
|
||
fields:
|
||
- name: hash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: All the hashes seen on your event. Populating this field, then
|
||
using it to search for hashes can help in situations where you're unsure what
|
||
the hash algorithm is (and therefore which key name to search).
|
||
default_field: false
|
||
- name: hosts
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: All hostnames or other host identifiers seen on your event. Example
|
||
identifiers include FQDNs, domain names, workstation names, or aliases.
|
||
default_field: false
|
||
- name: ip
|
||
level: extended
|
||
type: ip
|
||
description: All of the IPs seen on your event.
|
||
- name: user
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: All the user names or other user identifiers seen on the event.
|
||
default_field: false
|
||
- name: rule
|
||
title: Rule
|
||
group: 2
|
||
description: 'Rule fields are used to capture the specifics of any observer or
|
||
agent rules that generate alerts or other notable events.
|
||
|
||
Examples of data sources that would populate the rule fields include: network
|
||
admission control platforms, network or host IDS/IPS, network firewalls, web
|
||
application firewalls, url filters, endpoint detection and response (EDR) systems,
|
||
etc.'
|
||
type: group
|
||
fields:
|
||
- name: author
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name, organization, or pseudonym of the author or authors who created
|
||
the rule used to generate this event.
|
||
example: '["Star-Lord"]'
|
||
default_field: false
|
||
- name: category
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: A categorization value keyword used by the entity using the rule
|
||
for detection of this event.
|
||
example: Attempted Information Leak
|
||
default_field: false
|
||
- name: description
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The description of the rule generating the event.
|
||
example: Block requests to public DNS over HTTPS / TLS protocols
|
||
default_field: false
|
||
- name: id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: A rule ID that is unique within the scope of an agent, observer,
|
||
or other entity using the rule for detection of this event.
|
||
example: 101
|
||
default_field: false
|
||
- name: license
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the license under which the rule used to generate this
|
||
event is made available.
|
||
example: Apache 2.0
|
||
default_field: false
|
||
- name: name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The name of the rule or signature generating the event.
|
||
example: BLOCK_DNS_over_TLS
|
||
default_field: false
|
||
- name: reference
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Reference URL to additional information about the rule used to
|
||
generate this event.
|
||
|
||
The URL can point to the vendor''s documentation about the rule. If that''s
|
||
not available, it can also be a link to a more general page describing this
|
||
type of alert.'
|
||
example: https://en.wikipedia.org/wiki/DNS_over_TLS
|
||
default_field: false
|
||
- name: ruleset
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the ruleset, policy, group, or parent category in which
|
||
the rule used to generate this event is a member.
|
||
example: Standard_Protocol_Filters
|
||
default_field: false
|
||
- name: uuid
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: A rule ID that is unique within the scope of a set or group of
|
||
agents, observers, or other entities using the rule for detection of this
|
||
event.
|
||
example: 1100110011
|
||
default_field: false
|
||
- name: version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The version / revision of the rule being used for analysis.
|
||
example: 1.1
|
||
default_field: false
|
||
- name: server
|
||
title: Server
|
||
group: 2
|
||
description: 'A Server is defined as the responder in a network connection for
|
||
events regarding sessions, connections, or bidirectional flow records.
|
||
|
||
For TCP events, the server is the receiver of the initial SYN packet(s) of the
|
||
TCP connection. For other protocols, the server is generally the responder in
|
||
the network transaction. Some systems actually use the term "responder" to refer
|
||
the server in TCP connections. The server fields describe details about the
|
||
system acting as the server in the network event. Server fields are usually
|
||
populated in conjunction with client fields. Server fields are generally not
|
||
populated for packet-level events.
|
||
|
||
Client / server representations can add semantic context to an exchange, which
|
||
is helpful to visualize the data in certain situations. If your context falls
|
||
in that category, you should still ensure that source and destination are filled
|
||
appropriately.'
|
||
type: group
|
||
fields:
|
||
- name: address
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Some event server addresses are defined ambiguously. The event
|
||
will sometimes list an IP, a domain or a unix socket. You should always store
|
||
the raw address in the `.address` field.
|
||
|
||
Then it should be duplicated to `.ip` or `.domain`, depending on which one
|
||
it is.'
|
||
- name: as.number
|
||
level: extended
|
||
type: long
|
||
description: Unique number allocated to the autonomous system. The autonomous
|
||
system number (ASN) uniquely identifies each network on the Internet.
|
||
example: 15169
|
||
- name: as.organization.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Organization name.
|
||
example: Google LLC
|
||
- name: bytes
|
||
level: core
|
||
type: long
|
||
format: bytes
|
||
description: Bytes sent from the server to the client.
|
||
example: 184
|
||
- name: domain
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Server domain.
|
||
- name: geo.city_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: City name.
|
||
example: Montreal
|
||
- name: geo.continent_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Two-letter code representing continent's name.
|
||
example: NA
|
||
default_field: false
|
||
- name: geo.continent_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the continent.
|
||
example: North America
|
||
- name: geo.country_iso_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Country ISO code.
|
||
example: CA
|
||
- name: geo.country_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Country name.
|
||
example: Canada
|
||
- name: geo.location
|
||
level: core
|
||
type: geo_point
|
||
description: Longitude and latitude.
|
||
example: '{ "lon": -73.614830, "lat": 45.505918 }'
|
||
- name: geo.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'User-defined description of a location, at the level of granularity
|
||
they care about.
|
||
|
||
Could be the name of their data centers, the floor number, if this describes
|
||
a local physical entity, city names.
|
||
|
||
Not typically used in automated geolocation.'
|
||
example: boston-dc
|
||
- name: geo.postal_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Postal code associated with the location.
|
||
|
||
Values appropriate for this field may also be known as a postcode or ZIP code
|
||
and will vary widely from country to country.'
|
||
example: 94040
|
||
default_field: false
|
||
- name: geo.region_iso_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Region ISO code.
|
||
example: CA-QC
|
||
- name: geo.region_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Region name.
|
||
example: Quebec
|
||
- name: geo.timezone
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The time zone of the location, such as IANA time zone name.
|
||
example: America/Argentina/Buenos_Aires
|
||
default_field: false
|
||
- name: ip
|
||
level: core
|
||
type: ip
|
||
description: IP address of the server (IPv4 or IPv6).
|
||
- name: mac
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'MAC address of the server.
|
||
|
||
The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
|
||
byte) is represented by two [uppercase] hexadecimal digits giving the value
|
||
of the octet as an unsigned integer. Successive octets are separated by a
|
||
hyphen.'
|
||
example: 00-00-5E-00-53-23
|
||
- name: nat.ip
|
||
level: extended
|
||
type: ip
|
||
description: 'Translated ip of destination based NAT sessions (e.g. internet
|
||
to private DMZ)
|
||
|
||
Typically used with load balancers, firewalls, or routers.'
|
||
- name: nat.port
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: 'Translated port of destination based NAT sessions (e.g. internet
|
||
to private DMZ)
|
||
|
||
Typically used with load balancers, firewalls, or routers.'
|
||
- name: packets
|
||
level: core
|
||
type: long
|
||
description: Packets sent from the server to the client.
|
||
example: 12
|
||
- name: port
|
||
level: core
|
||
type: long
|
||
format: string
|
||
description: Port of the server.
|
||
- name: registered_domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The highest registered server domain, stripped of the subdomain.
|
||
|
||
For example, the registered domain for "foo.example.com" is "example.com".
|
||
|
||
This value can be determined precisely with a list like the public suffix
|
||
list (http://publicsuffix.org). Trying to approximate this by simply taking
|
||
the last two labels will not work well for TLDs such as "co.uk".'
|
||
example: example.com
|
||
- name: subdomain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The subdomain portion of a fully qualified domain name includes
|
||
all of the names except the host name under the registered_domain. In a partially
|
||
qualified domain, or if the the qualification level of the full name cannot
|
||
be determined, subdomain contains all of the names below the registered domain.
|
||
|
||
For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
|
||
If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
|
||
the subdomain field should contain "sub2.sub1", with no trailing period.'
|
||
example: east
|
||
default_field: false
|
||
- name: top_level_domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The effective top level domain (eTLD), also known as the domain
|
||
suffix, is the last part of the domain name. For example, the top level domain
|
||
for example.com is "com".
|
||
|
||
This value can be determined precisely with a list like the public suffix
|
||
list (http://publicsuffix.org). Trying to approximate this by simply taking
|
||
the last label will not work well for effective TLDs such as "co.uk".'
|
||
example: co.uk
|
||
- name: user.domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the directory the user is a member of.
|
||
|
||
For example, an LDAP or Active Directory domain name.'
|
||
- name: user.email
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: User email address.
|
||
- name: user.full_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: User's full name, if available.
|
||
example: Albert Einstein
|
||
- name: user.group.domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the directory the group is a member of.
|
||
|
||
For example, an LDAP or Active Directory domain name.'
|
||
- name: user.group.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier for the group on the system/platform.
|
||
- name: user.group.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the group.
|
||
- name: user.hash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Unique user hash to correlate information for a user in anonymized
|
||
form.
|
||
|
||
Useful if `user.id` or `user.name` contain confidential information and cannot
|
||
be used.'
|
||
- name: user.id
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier of the user.
|
||
example: S-1-5-21-202424912787-2692429404-2351956786-1000
|
||
- name: user.name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Short name or login of the user.
|
||
example: a.einstein
|
||
- name: user.roles
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Array of user roles at the time of the event.
|
||
example: '["kibana_admin", "reporting_user"]'
|
||
default_field: false
|
||
- name: service
|
||
title: Service
|
||
group: 2
|
||
description: 'The service fields describe the service for or from which the data
|
||
was collected.
|
||
|
||
These fields help you find and correlate logs for a specific service and version.'
|
||
type: group
|
||
fields:
|
||
- name: address
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Address where data about this service was collected from.
|
||
|
||
This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource
|
||
path (sockets).'
|
||
example: 172.26.0.2:5432
|
||
default_field: false
|
||
- name: environment
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Identifies the environment where the service is running.
|
||
|
||
If the same service runs in different environments (production, staging, QA,
|
||
development, etc.), the environment can identify other instances of the same
|
||
service. Can also group services and applications from the same environment.'
|
||
example: production
|
||
default_field: false
|
||
- name: ephemeral_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Ephemeral identifier of this service (if one exists).
|
||
|
||
This id normally changes across restarts, but `service.id` does not.'
|
||
example: 8a4f500f
|
||
- name: id
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Unique identifier of the running service. If the service is comprised
|
||
of many nodes, the `service.id` should be the same for all nodes.
|
||
|
||
This id should uniquely identify the service. This makes it possible to correlate
|
||
logs and metrics for one specific service, no matter which particular node
|
||
emitted the event.
|
||
|
||
Note that if you need to see the events from one specific host of the service,
|
||
you should filter on that `host.name` or `host.id` instead.'
|
||
example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
|
||
- name: name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the service data is collected from.
|
||
|
||
The name of the service is normally user given. This allows for distributed
|
||
services that run on multiple hosts to correlate the related instances based
|
||
on the name.
|
||
|
||
In the case of Elasticsearch the `service.name` could contain the cluster
|
||
name. For Beats the `service.name` is by default a copy of the `service.type`
|
||
field if no name is specified.'
|
||
example: elasticsearch-metrics
|
||
- name: node.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of a service node.
|
||
|
||
This allows for two nodes of the same service running on the same host to
|
||
be differentiated. Therefore, `service.node.name` should typically be unique
|
||
across nodes of a given service.
|
||
|
||
In the case of Elasticsearch, the `service.node.name` could contain the unique
|
||
node name within the Elasticsearch cluster. In cases where the service doesn''t
|
||
have the concept of a node name, the host name or container name can be used
|
||
to distinguish running instances that make up this service. If those do not
|
||
provide uniqueness (e.g. multiple instances of the service running on the
|
||
same host) - the node name can be manually set.'
|
||
example: instance-0000000016
|
||
- name: state
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Current state of the service.
|
||
- name: type
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The type of the service data is collected from.
|
||
|
||
The type can be used to group and correlate logs and metrics from one service
|
||
type.
|
||
|
||
Example: If logs or metrics are collected from Elasticsearch, `service.type`
|
||
would be `elasticsearch`.'
|
||
example: elasticsearch
|
||
- name: version
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Version of the service the data was collected from.
|
||
|
||
This allows to look at a data set only for a specific version of a service.'
|
||
example: 3.2.4
|
||
- name: source
|
||
title: Source
|
||
group: 2
|
||
description: 'Source fields capture details about the sender of a network exchange/packet.
|
||
These fields are populated from a network event, packet, or other event containing
|
||
details of a network transaction.
|
||
|
||
Source fields are usually populated in conjunction with destination fields.
|
||
The source and destination fields are considered the baseline and should always
|
||
be filled if an event contains source and destination details from a network
|
||
transaction. If the event also contains identification of the client and server
|
||
roles, then the client and server fields should also be populated.'
|
||
type: group
|
||
fields:
|
||
- name: address
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Some event source addresses are defined ambiguously. The event
|
||
will sometimes list an IP, a domain or a unix socket. You should always store
|
||
the raw address in the `.address` field.
|
||
|
||
Then it should be duplicated to `.ip` or `.domain`, depending on which one
|
||
it is.'
|
||
- name: as.number
|
||
level: extended
|
||
type: long
|
||
description: Unique number allocated to the autonomous system. The autonomous
|
||
system number (ASN) uniquely identifies each network on the Internet.
|
||
example: 15169
|
||
- name: as.organization.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Organization name.
|
||
example: Google LLC
|
||
- name: bytes
|
||
level: core
|
||
type: long
|
||
format: bytes
|
||
description: Bytes sent from the source to the destination.
|
||
example: 184
|
||
- name: domain
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Source domain.
|
||
- name: geo.city_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: City name.
|
||
example: Montreal
|
||
- name: geo.continent_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Two-letter code representing continent's name.
|
||
example: NA
|
||
default_field: false
|
||
- name: geo.continent_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the continent.
|
||
example: North America
|
||
- name: geo.country_iso_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Country ISO code.
|
||
example: CA
|
||
- name: geo.country_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Country name.
|
||
example: Canada
|
||
- name: geo.location
|
||
level: core
|
||
type: geo_point
|
||
description: Longitude and latitude.
|
||
example: '{ "lon": -73.614830, "lat": 45.505918 }'
|
||
- name: geo.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'User-defined description of a location, at the level of granularity
|
||
they care about.
|
||
|
||
Could be the name of their data centers, the floor number, if this describes
|
||
a local physical entity, city names.
|
||
|
||
Not typically used in automated geolocation.'
|
||
example: boston-dc
|
||
- name: geo.postal_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Postal code associated with the location.
|
||
|
||
Values appropriate for this field may also be known as a postcode or ZIP code
|
||
and will vary widely from country to country.'
|
||
example: 94040
|
||
default_field: false
|
||
- name: geo.region_iso_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Region ISO code.
|
||
example: CA-QC
|
||
- name: geo.region_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Region name.
|
||
example: Quebec
|
||
- name: geo.timezone
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The time zone of the location, such as IANA time zone name.
|
||
example: America/Argentina/Buenos_Aires
|
||
default_field: false
|
||
- name: ip
|
||
level: core
|
||
type: ip
|
||
description: IP address of the source (IPv4 or IPv6).
|
||
- name: mac
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'MAC address of the source.
|
||
|
||
The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit
|
||
byte) is represented by two [uppercase] hexadecimal digits giving the value
|
||
of the octet as an unsigned integer. Successive octets are separated by a
|
||
hyphen.'
|
||
example: 00-00-5E-00-53-23
|
||
- name: nat.ip
|
||
level: extended
|
||
type: ip
|
||
description: 'Translated ip of source based NAT sessions (e.g. internal client
|
||
to internet)
|
||
|
||
Typically connections traversing load balancers, firewalls, or routers.'
|
||
- name: nat.port
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: 'Translated port of source based NAT sessions. (e.g. internal client
|
||
to internet)
|
||
|
||
Typically used with load balancers, firewalls, or routers.'
|
||
- name: packets
|
||
level: core
|
||
type: long
|
||
description: Packets sent from the source to the destination.
|
||
example: 12
|
||
- name: port
|
||
level: core
|
||
type: long
|
||
format: string
|
||
description: Port of the source.
|
||
- name: registered_domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The highest registered source domain, stripped of the subdomain.
|
||
|
||
For example, the registered domain for "foo.example.com" is "example.com".
|
||
|
||
This value can be determined precisely with a list like the public suffix
|
||
list (http://publicsuffix.org). Trying to approximate this by simply taking
|
||
the last two labels will not work well for TLDs such as "co.uk".'
|
||
example: example.com
|
||
- name: subdomain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The subdomain portion of a fully qualified domain name includes
|
||
all of the names except the host name under the registered_domain. In a partially
|
||
qualified domain, or if the the qualification level of the full name cannot
|
||
be determined, subdomain contains all of the names below the registered domain.
|
||
|
||
For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
|
||
If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
|
||
the subdomain field should contain "sub2.sub1", with no trailing period.'
|
||
example: east
|
||
default_field: false
|
||
- name: top_level_domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The effective top level domain (eTLD), also known as the domain
|
||
suffix, is the last part of the domain name. For example, the top level domain
|
||
for example.com is "com".
|
||
|
||
This value can be determined precisely with a list like the public suffix
|
||
list (http://publicsuffix.org). Trying to approximate this by simply taking
|
||
the last label will not work well for effective TLDs such as "co.uk".'
|
||
example: co.uk
|
||
- name: user.domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the directory the user is a member of.
|
||
|
||
For example, an LDAP or Active Directory domain name.'
|
||
- name: user.email
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: User email address.
|
||
- name: user.full_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: User's full name, if available.
|
||
example: Albert Einstein
|
||
- name: user.group.domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the directory the group is a member of.
|
||
|
||
For example, an LDAP or Active Directory domain name.'
|
||
- name: user.group.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier for the group on the system/platform.
|
||
- name: user.group.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the group.
|
||
- name: user.hash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Unique user hash to correlate information for a user in anonymized
|
||
form.
|
||
|
||
Useful if `user.id` or `user.name` contain confidential information and cannot
|
||
be used.'
|
||
- name: user.id
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier of the user.
|
||
example: S-1-5-21-202424912787-2692429404-2351956786-1000
|
||
- name: user.name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Short name or login of the user.
|
||
example: a.einstein
|
||
- name: user.roles
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Array of user roles at the time of the event.
|
||
example: '["kibana_admin", "reporting_user"]'
|
||
default_field: false
|
||
- name: threat
|
||
title: Threat
|
||
group: 2
|
||
description: "Fields to classify events and alerts according to a threat taxonomy\
|
||
\ such as the MITRE ATT&CK\xAE framework.\nThese fields are for users to classify\
|
||
\ alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy.\
|
||
\ The threat.tactic.* are meant to capture the high level category of the threat\
|
||
\ (e.g. \"impact\"). The threat.technique.* fields are meant to capture which\
|
||
\ kind of approach is used by this detected threat, to accomplish the goal (e.g.\
|
||
\ \"endpoint denial of service\")."
|
||
type: group
|
||
fields:
|
||
- name: enrichments
|
||
level: extended
|
||
type: nested
|
||
description: A list of associated indicators objects enriching the event, and
|
||
the context of that association/enrichment.
|
||
default_field: false
|
||
- name: enrichments.indicator
|
||
level: extended
|
||
type: object
|
||
description: Object containing associated indicators enriching the event.
|
||
default_field: false
|
||
- name: enrichments.indicator.as.number
|
||
level: extended
|
||
type: long
|
||
description: Unique number allocated to the autonomous system. The autonomous
|
||
system number (ASN) uniquely identifies each network on the Internet.
|
||
example: 15169
|
||
default_field: false
|
||
- name: enrichments.indicator.as.organization.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: Organization name.
|
||
example: Google LLC
|
||
default_field: false
|
||
- name: enrichments.indicator.confidence
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\
|
||
using\_STIX\_confidence scales. Expected values:\n * Not Specified, None,\
|
||
\ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\
|
||
\ * WEP Scale (Impossible - Certain)"
|
||
example: High
|
||
default_field: false
|
||
- name: enrichments.indicator.description
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Describes the type of action conducted by the threat.
|
||
example: IP x.x.x.x was observed delivering the Angler EK.
|
||
default_field: false
|
||
- name: enrichments.indicator.email.address
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Identifies a threat indicator as an email address (irrespective
|
||
of direction).
|
||
example: phish@example.com
|
||
default_field: false
|
||
- name: enrichments.indicator.file.accessed
|
||
level: extended
|
||
type: date
|
||
description: 'Last time the file was accessed.
|
||
|
||
Note that not all filesystems keep track of access time.'
|
||
default_field: false
|
||
- name: enrichments.indicator.file.attributes
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Array of file attributes.
|
||
|
||
Attributes names will vary by platform. Here''s a non-exhaustive list of values
|
||
that are expected in this field: archive, compressed, directory, encrypted,
|
||
execute, hidden, read, readonly, system, write.'
|
||
example: '["readonly", "system"]'
|
||
default_field: false
|
||
- name: enrichments.indicator.file.code_signature.digest_algorithm
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The hashing algorithm used to sign the process.
|
||
|
||
This value can distinguish signatures when a file is signed multiple times
|
||
by the same signer but with a different digest algorithm.'
|
||
example: sha256
|
||
default_field: false
|
||
- name: enrichments.indicator.file.code_signature.exists
|
||
level: core
|
||
type: boolean
|
||
description: Boolean to capture if a signature is present.
|
||
example: 'true'
|
||
default_field: false
|
||
- name: enrichments.indicator.file.code_signature.signing_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The identifier used to sign the process.
|
||
|
||
This is used to identify the application manufactured by a software vendor.
|
||
The field is relevant to Apple *OS only.'
|
||
example: com.apple.xpc.proxy
|
||
default_field: false
|
||
- name: enrichments.indicator.file.code_signature.status
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Additional information about the certificate status.
|
||
|
||
This is useful for logging cryptographic errors with the certificate validity
|
||
or trust status. Leave unpopulated if the validity or trust of the certificate
|
||
was unchecked.'
|
||
example: ERROR_UNTRUSTED_ROOT
|
||
default_field: false
|
||
- name: enrichments.indicator.file.code_signature.subject_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Subject name of the code signer
|
||
example: Microsoft Corporation
|
||
default_field: false
|
||
- name: enrichments.indicator.file.code_signature.team_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The team identifier used to sign the process.
|
||
|
||
This is used to identify the team or vendor of a software product. The field
|
||
is relevant to Apple *OS only.'
|
||
example: EQHXZ8M8AV
|
||
default_field: false
|
||
- name: enrichments.indicator.file.code_signature.timestamp
|
||
level: extended
|
||
type: date
|
||
description: Date and time when the code signature was generated and signed.
|
||
example: '2021-01-01T12:10:30Z'
|
||
default_field: false
|
||
- name: enrichments.indicator.file.code_signature.trusted
|
||
level: extended
|
||
type: boolean
|
||
description: 'Stores the trust status of the certificate chain.
|
||
|
||
Validating the trust of the certificate chain may be complicated, and this
|
||
field should only be populated by tools that actively check the status.'
|
||
example: 'true'
|
||
default_field: false
|
||
- name: enrichments.indicator.file.code_signature.valid
|
||
level: extended
|
||
type: boolean
|
||
description: 'Boolean to capture if the digital signature is verified against
|
||
the binary content.
|
||
|
||
Leave unpopulated if a certificate was unchecked.'
|
||
example: 'true'
|
||
default_field: false
|
||
- name: enrichments.indicator.file.created
|
||
level: extended
|
||
type: date
|
||
description: 'File creation time.
|
||
|
||
Note that not all filesystems store the creation time.'
|
||
default_field: false
|
||
- name: enrichments.indicator.file.ctime
|
||
level: extended
|
||
type: date
|
||
description: 'Last time the file attributes or metadata changed.
|
||
|
||
Note that changes to the file content will update `mtime`. This implies `ctime`
|
||
will be adjusted at the same time, since `mtime` is an attribute of the file.'
|
||
default_field: false
|
||
- name: enrichments.indicator.file.device
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Device that is the source of the file.
|
||
example: sda
|
||
default_field: false
|
||
- name: enrichments.indicator.file.directory
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Directory where the file is located. It should include the drive
|
||
letter, when appropriate.
|
||
example: /home/alice
|
||
default_field: false
|
||
- name: enrichments.indicator.file.drive_letter
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1
|
||
description: 'Drive letter where the file is located. This field is only relevant
|
||
on Windows.
|
||
|
||
The value should be uppercase, and not include the colon.'
|
||
example: C
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.architecture
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Machine architecture of the ELF file.
|
||
example: x86-64
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.byte_order
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Byte sequence of ELF file.
|
||
example: Little Endian
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.cpu_type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: CPU type of the ELF file.
|
||
example: Intel
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.creation_date
|
||
level: extended
|
||
type: date
|
||
description: Extracted when possible from the file's metadata. Indicates when
|
||
it was built or compiled. It can also be faked by malware creators.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.exports
|
||
level: extended
|
||
type: flattened
|
||
description: List of exported element names and types.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.header.abi_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of the ELF Application Binary Interface (ABI).
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.header.class
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Header class of the ELF file.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.header.data
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Data table of the ELF header.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.header.entrypoint
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: Header entrypoint of the ELF file.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.header.object_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: '"0x1" for original ELF files.'
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.header.os_abi
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Application Binary Interface (ABI) of the Linux OS.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.header.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Header type of the ELF file.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.header.version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of the ELF header.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.imports
|
||
level: extended
|
||
type: flattened
|
||
description: List of imported element names and types.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.sections
|
||
level: extended
|
||
type: nested
|
||
description: 'An array containing an object for each section of the ELF file.
|
||
|
||
The keys that should be present in these objects are defined by sub-fields
|
||
underneath `elf.sections.*`.'
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.sections.chi2
|
||
level: extended
|
||
type: long
|
||
format: number
|
||
description: Chi-square probability distribution of the section.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.sections.entropy
|
||
level: extended
|
||
type: long
|
||
format: number
|
||
description: Shannon entropy calculation from the section.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.sections.flags
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List flags.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.sections.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List name.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.sections.physical_offset
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List offset.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.sections.physical_size
|
||
level: extended
|
||
type: long
|
||
format: bytes
|
||
description: ELF Section List physical size.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.sections.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List type.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.sections.virtual_address
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: ELF Section List virtual address.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.sections.virtual_size
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: ELF Section List virtual size.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.segments
|
||
level: extended
|
||
type: nested
|
||
description: 'An array containing an object for each segment of the ELF file.
|
||
|
||
The keys that should be present in these objects are defined by sub-fields
|
||
underneath `elf.segments.*`.'
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.segments.sections
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF object segment sections.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.segments.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF object segment type.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.shared_libraries
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of shared libraries used by this ELF object.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.elf.telfhash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: telfhash symbol hash for ELF file.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.extension
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'File extension, excluding the leading dot.
|
||
|
||
Note that when the file name has multiple extensions (example.tar.gz), only
|
||
the last one should be captured ("gz", not "tar.gz").'
|
||
example: png
|
||
default_field: false
|
||
- name: enrichments.indicator.file.fork_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'A fork is additional data associated with a filesystem object.
|
||
|
||
On Linux, a resource fork is used to store additional data with a filesystem
|
||
object. A file always has at least one fork for the data portion, and additional
|
||
forks may exist.
|
||
|
||
On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
|
||
data stream for a file is just called $DATA. Zone.Identifier is commonly used
|
||
by Windows to track contents downloaded from the Internet. An ADS is typically
|
||
of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
|
||
is the value that should populate `fork_name`. `filename.extension` should
|
||
populate `file.name`, and `extension` should populate `file.extension`. The
|
||
full path, `file.path`, will include the fork name.'
|
||
example: Zone.Identifer
|
||
default_field: false
|
||
- name: enrichments.indicator.file.gid
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Primary group ID (GID) of the file.
|
||
example: '1001'
|
||
default_field: false
|
||
- name: enrichments.indicator.file.group
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Primary group name of the file.
|
||
example: alice
|
||
default_field: false
|
||
- name: enrichments.indicator.file.hash.md5
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: MD5 hash.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.hash.sha1
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA1 hash.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.hash.sha256
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA256 hash.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.hash.sha512
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA512 hash.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.hash.ssdeep
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SSDEEP hash.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.inode
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Inode representing the file in the filesystem.
|
||
example: '256383'
|
||
default_field: false
|
||
- name: enrichments.indicator.file.mime_type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: MIME type should identify the format of the file or stream of bytes
|
||
using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
|
||
official types], where possible. When more than one type is applicable, the
|
||
most specific type should be used.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.mode
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Mode of the file in octal representation.
|
||
example: '0640'
|
||
default_field: false
|
||
- name: enrichments.indicator.file.mtime
|
||
level: extended
|
||
type: date
|
||
description: Last time the file content was modified.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the file including the extension, without the directory.
|
||
example: example.png
|
||
default_field: false
|
||
- name: enrichments.indicator.file.owner
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: File owner's username.
|
||
example: alice
|
||
default_field: false
|
||
- name: enrichments.indicator.file.path
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: Full path to the file, including the file name. It should include
|
||
the drive letter, when appropriate.
|
||
example: /home/alice/example.png
|
||
default_field: false
|
||
- name: enrichments.indicator.file.pe.architecture
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: CPU architecture target for the file.
|
||
example: x64
|
||
default_field: false
|
||
- name: enrichments.indicator.file.pe.company
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal company name of the file, provided at compile-time.
|
||
example: Microsoft Corporation
|
||
default_field: false
|
||
- name: enrichments.indicator.file.pe.description
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal description of the file, provided at compile-time.
|
||
example: Paint
|
||
default_field: false
|
||
- name: enrichments.indicator.file.pe.file_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal version of the file, provided at compile-time.
|
||
example: 6.3.9600.17415
|
||
default_field: false
|
||
- name: enrichments.indicator.file.pe.imphash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'A hash of the imports in a PE file. An imphash -- or import hash
|
||
-- can be used to fingerprint binaries even after recompilation or other code-level
|
||
transformations have occurred, which would change more traditional hash values.
|
||
|
||
Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
|
||
example: 0c6803c4e922103c4dca5963aad36ddf
|
||
default_field: false
|
||
- name: enrichments.indicator.file.pe.original_file_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal name of the file, provided at compile-time.
|
||
example: MSPAINT.EXE
|
||
default_field: false
|
||
- name: enrichments.indicator.file.pe.product
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal product name of the file, provided at compile-time.
|
||
example: "Microsoft\xAE Windows\xAE Operating System"
|
||
default_field: false
|
||
- name: enrichments.indicator.file.size
|
||
level: extended
|
||
type: long
|
||
description: 'File size in bytes.
|
||
|
||
Only relevant when `file.type` is "file".'
|
||
example: 16384
|
||
default_field: false
|
||
- name: enrichments.indicator.file.target_path
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: Target path for symlinks.
|
||
default_field: false
|
||
- name: enrichments.indicator.file.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: File type (file, dir, or symlink).
|
||
example: file
|
||
default_field: false
|
||
- name: enrichments.indicator.file.uid
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The user ID (UID) or security identifier (SID) of the file owner.
|
||
example: '1001'
|
||
default_field: false
|
||
- name: enrichments.indicator.first_seen
|
||
level: extended
|
||
type: date
|
||
description: The date and time when intelligence source first reported sighting
|
||
this indicator.
|
||
example: '2020-11-05T17:25:47.000Z'
|
||
default_field: false
|
||
- name: enrichments.indicator.geo.city_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: City name.
|
||
example: Montreal
|
||
default_field: false
|
||
- name: enrichments.indicator.geo.continent_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Two-letter code representing continent's name.
|
||
example: NA
|
||
default_field: false
|
||
- name: enrichments.indicator.geo.continent_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the continent.
|
||
example: North America
|
||
default_field: false
|
||
- name: enrichments.indicator.geo.country_iso_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Country ISO code.
|
||
example: CA
|
||
default_field: false
|
||
- name: enrichments.indicator.geo.country_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Country name.
|
||
example: Canada
|
||
default_field: false
|
||
- name: enrichments.indicator.geo.location
|
||
level: core
|
||
type: geo_point
|
||
description: Longitude and latitude.
|
||
example: '{ "lon": -73.614830, "lat": 45.505918 }'
|
||
default_field: false
|
||
- name: enrichments.indicator.geo.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'User-defined description of a location, at the level of granularity
|
||
they care about.
|
||
|
||
Could be the name of their data centers, the floor number, if this describes
|
||
a local physical entity, city names.
|
||
|
||
Not typically used in automated geolocation.'
|
||
example: boston-dc
|
||
default_field: false
|
||
- name: enrichments.indicator.geo.postal_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Postal code associated with the location.
|
||
|
||
Values appropriate for this field may also be known as a postcode or ZIP code
|
||
and will vary widely from country to country.'
|
||
example: 94040
|
||
default_field: false
|
||
- name: enrichments.indicator.geo.region_iso_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Region ISO code.
|
||
example: CA-QC
|
||
default_field: false
|
||
- name: enrichments.indicator.geo.region_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Region name.
|
||
example: Quebec
|
||
default_field: false
|
||
- name: enrichments.indicator.geo.timezone
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The time zone of the location, such as IANA time zone name.
|
||
example: America/Argentina/Buenos_Aires
|
||
default_field: false
|
||
- name: enrichments.indicator.ip
|
||
level: extended
|
||
type: ip
|
||
description: Identifies a threat indicator as an IP address (irrespective of
|
||
direction).
|
||
example: 1.2.3.4
|
||
default_field: false
|
||
- name: enrichments.indicator.last_seen
|
||
level: extended
|
||
type: date
|
||
description: The date and time when intelligence source last reported sighting
|
||
this indicator.
|
||
example: '2020-11-05T17:25:47.000Z'
|
||
default_field: false
|
||
- name: enrichments.indicator.marking.tlp
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "Traffic Light Protocol sharing markings. Recommended values are:\n\
|
||
\ * WHITE\n * GREEN\n * AMBER\n * RED"
|
||
example: White
|
||
default_field: false
|
||
- name: enrichments.indicator.modified_at
|
||
level: extended
|
||
type: date
|
||
description: The date and time when intelligence source last modified information
|
||
for this indicator.
|
||
example: '2020-11-05T17:25:47.000Z'
|
||
default_field: false
|
||
- name: enrichments.indicator.port
|
||
level: extended
|
||
type: long
|
||
description: Identifies a threat indicator as a port number (irrespective of
|
||
direction).
|
||
example: 443
|
||
default_field: false
|
||
- name: enrichments.indicator.provider
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The name of the indicator's provider.
|
||
example: lrz_urlhaus
|
||
default_field: false
|
||
- name: enrichments.indicator.reference
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Reference URL linking to additional information about this indicator.
|
||
example: https://system.example.com/indicator/0001234
|
||
default_field: false
|
||
- name: enrichments.indicator.registry.data.bytes
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Original bytes written with base64 encoding.
|
||
|
||
For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
|
||
corresponds to the data pointed by `lp_data`. This is optional but provides
|
||
better recoverability and should be populated for REG_BINARY encoded values.'
|
||
example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
|
||
default_field: false
|
||
- name: enrichments.indicator.registry.data.strings
|
||
level: core
|
||
type: wildcard
|
||
description: 'Content when writing string types.
|
||
|
||
Populated as an array when writing string data to the registry. For single
|
||
string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
|
||
one string. For sequences of string with REG_MULTI_SZ, this array will be
|
||
variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
|
||
be populated with the decimal representation (e.g `"1"`).'
|
||
example: '["C:\rta\red_ttp\bin\myapp.exe"]'
|
||
default_field: false
|
||
- name: enrichments.indicator.registry.data.type
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Standard registry type for encoding contents
|
||
example: REG_SZ
|
||
default_field: false
|
||
- name: enrichments.indicator.registry.hive
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Abbreviated name for the hive.
|
||
example: HKLM
|
||
default_field: false
|
||
- name: enrichments.indicator.registry.key
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Hive-relative path of keys.
|
||
example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
|
||
default_field: false
|
||
- name: enrichments.indicator.registry.path
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Full path, including hive, key and value
|
||
example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
|
||
Options\winword.exe\Debugger
|
||
default_field: false
|
||
- name: enrichments.indicator.registry.value
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the value written.
|
||
example: Debugger
|
||
default_field: false
|
||
- name: enrichments.indicator.scanner_stats
|
||
level: extended
|
||
type: long
|
||
description: Count of AV/EDR vendors that successfully detected malicious file
|
||
or URL.
|
||
example: 4
|
||
default_field: false
|
||
- name: enrichments.indicator.sightings
|
||
level: extended
|
||
type: long
|
||
description: Number of times this indicator was observed conducting threat activity.
|
||
example: 20
|
||
default_field: false
|
||
- name: enrichments.indicator.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\
|
||
\ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\
|
||
\ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\
|
||
\ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \
|
||
\ * user-account\n * windows-registry-key\n * x509-certificate"
|
||
example: ipv4-addr
|
||
default_field: false
|
||
- name: enrichments.indicator.url.domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Domain of the url, such as "www.elastic.co".
|
||
|
||
In some cases a URL may refer to an IP and/or port directly, without a domain
|
||
name. In this case, the IP address would go to the `domain` field.
|
||
|
||
If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
|
||
2732), the `[` and `]` characters should also be captured in the `domain`
|
||
field.'
|
||
example: www.elastic.co
|
||
default_field: false
|
||
- name: enrichments.indicator.url.extension
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The field contains the file extension from the original request
|
||
url, excluding the leading dot.
|
||
|
||
The file extension is only set if it exists, as not every url has a file extension.
|
||
|
||
The leading period must not be included. For example, the value must be "png",
|
||
not ".png".
|
||
|
||
Note that when the file name has multiple extensions (example.tar.gz), only
|
||
the last one should be captured ("gz", not "tar.gz").'
|
||
example: png
|
||
default_field: false
|
||
- name: enrichments.indicator.url.fragment
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Portion of the url after the `#`, such as "top".
|
||
|
||
The `#` is not part of the fragment.'
|
||
default_field: false
|
||
- name: enrichments.indicator.url.full
|
||
level: extended
|
||
type: wildcard
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: If full URLs are important to your use case, they should be stored
|
||
in `url.full`, whether this field is reconstructed or present in the event
|
||
source.
|
||
example: https://www.elastic.co:443/search?q=elasticsearch#top
|
||
default_field: false
|
||
- name: enrichments.indicator.url.original
|
||
level: extended
|
||
type: wildcard
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: 'Unmodified original url as seen in the event source.
|
||
|
||
Note that in network monitoring, the observed URL may be a full URL, whereas
|
||
in access logs, the URL is often just represented as a path.
|
||
|
||
This field is meant to represent the URL as it was observed, complete or not.'
|
||
example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
|
||
default_field: false
|
||
- name: enrichments.indicator.url.password
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Password of the request.
|
||
default_field: false
|
||
- name: enrichments.indicator.url.path
|
||
level: extended
|
||
type: wildcard
|
||
description: Path of the request, such as "/search".
|
||
default_field: false
|
||
- name: enrichments.indicator.url.port
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: Port of the request, such as 443.
|
||
example: 443
|
||
default_field: false
|
||
- name: enrichments.indicator.url.query
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The query field describes the query string of the request, such
|
||
as "q=elasticsearch".
|
||
|
||
The `?` is excluded from the query string. If a URL contains no `?`, there
|
||
is no query field. If there is a `?` but no query, the query field exists
|
||
with an empty string. The `exists` query can be used to differentiate between
|
||
the two cases.'
|
||
default_field: false
|
||
- name: enrichments.indicator.url.registered_domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The highest registered url domain, stripped of the subdomain.
|
||
|
||
For example, the registered domain for "foo.example.com" is "example.com".
|
||
|
||
This value can be determined precisely with a list like the public suffix
|
||
list (http://publicsuffix.org). Trying to approximate this by simply taking
|
||
the last two labels will not work well for TLDs such as "co.uk".'
|
||
example: example.com
|
||
default_field: false
|
||
- name: enrichments.indicator.url.scheme
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Scheme of the request, such as "https".
|
||
|
||
Note: The `:` is not part of the scheme.'
|
||
example: https
|
||
default_field: false
|
||
- name: enrichments.indicator.url.subdomain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The subdomain portion of a fully qualified domain name includes
|
||
all of the names except the host name under the registered_domain. In a partially
|
||
qualified domain, or if the the qualification level of the full name cannot
|
||
be determined, subdomain contains all of the names below the registered domain.
|
||
|
||
For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
|
||
If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
|
||
the subdomain field should contain "sub2.sub1", with no trailing period.'
|
||
example: east
|
||
default_field: false
|
||
- name: enrichments.indicator.url.top_level_domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The effective top level domain (eTLD), also known as the domain
|
||
suffix, is the last part of the domain name. For example, the top level domain
|
||
for example.com is "com".
|
||
|
||
This value can be determined precisely with a list like the public suffix
|
||
list (http://publicsuffix.org). Trying to approximate this by simply taking
|
||
the last label will not work well for effective TLDs such as "co.uk".'
|
||
example: co.uk
|
||
default_field: false
|
||
- name: enrichments.indicator.url.username
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Username of the request.
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.alternative_names
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of subject alternative names (SAN). Name types vary by certificate
|
||
authority and certificate type but commonly contain IP addresses, DNS names
|
||
(and wildcards), and email addresses.
|
||
example: '*.elastic.co'
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.issuer.common_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of common name (CN) of issuing certificate authority.
|
||
example: Example SHA2 High Assurance Server CA
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.issuer.country
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of country (C) codes
|
||
example: US
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.issuer.distinguished_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Distinguished name (DN) of issuing certificate authority.
|
||
example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
|
||
Server CA
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.issuer.locality
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of locality names (L)
|
||
example: Mountain View
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.issuer.organization
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizations (O) of issuing certificate authority.
|
||
example: Example Inc
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.issuer.organizational_unit
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizational units (OU) of issuing certificate authority.
|
||
example: www.example.com
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.issuer.state_or_province
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of state or province names (ST, S, or P)
|
||
example: California
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.not_after
|
||
level: extended
|
||
type: date
|
||
description: Time at which the certificate is no longer considered valid.
|
||
example: 2020-07-16 03:15:39+00:00
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.not_before
|
||
level: extended
|
||
type: date
|
||
description: Time at which the certificate is first considered valid.
|
||
example: 2019-08-16 01:40:25+00:00
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.public_key_algorithm
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Algorithm used to generate the public key.
|
||
example: RSA
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.public_key_curve
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The curve used by the elliptic curve public key algorithm. This
|
||
is algorithm specific.
|
||
example: nistp521
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.public_key_exponent
|
||
level: extended
|
||
type: long
|
||
description: Exponent used to derive the public key. This is algorithm specific.
|
||
example: 65537
|
||
index: false
|
||
doc_values: false
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.public_key_size
|
||
level: extended
|
||
type: long
|
||
description: The size of the public key space in bits.
|
||
example: 2048
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.serial_number
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique serial number issued by the certificate authority. For consistency,
|
||
if this value is alphanumeric, it should be formatted without colons and uppercase
|
||
characters.
|
||
example: 55FBB9C7DEBF09809D12CCAA
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.signature_algorithm
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Identifier for certificate signature algorithm. We recommend using
|
||
names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
|
||
example: SHA256-RSA
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.subject.common_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of common names (CN) of subject.
|
||
example: shared.global.example.net
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.subject.country
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of country (C) code
|
||
example: US
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.subject.distinguished_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Distinguished name (DN) of the certificate subject entity.
|
||
example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.subject.locality
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of locality names (L)
|
||
example: San Francisco
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.subject.organization
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizations (O) of subject.
|
||
example: Example, Inc.
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.subject.organizational_unit
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizational units (OU) of subject.
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.subject.state_or_province
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of state or province names (ST, S, or P)
|
||
example: California
|
||
default_field: false
|
||
- name: enrichments.indicator.x509.version_number
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of x509 format.
|
||
example: 3
|
||
default_field: false
|
||
- name: enrichments.matched.atomic
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Identifies the atomic indicator value that matched a local environment
|
||
endpoint or network event.
|
||
example: bad-domain.com
|
||
default_field: false
|
||
- name: enrichments.matched.field
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Identifies the field of the atomic indicator that matched a local
|
||
environment endpoint or network event.
|
||
example: file.hash.sha256
|
||
default_field: false
|
||
- name: enrichments.matched.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Identifies the _id of the indicator document enriching the event.
|
||
example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
|
||
default_field: false
|
||
- name: enrichments.matched.index
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Identifies the _index of the indicator document enriching the event.
|
||
example: filebeat-8.0.0-2021.05.23-000011
|
||
default_field: false
|
||
- name: enrichments.matched.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Identifies the type of match that caused the event to be enriched
|
||
with the given indicator
|
||
example: indicator_match_rule
|
||
default_field: false
|
||
- name: framework
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the threat framework used to further categorize and classify
|
||
the tactic and technique of the reported threat. Framework classification
|
||
can be provided by detecting systems, evaluated at ingest time, or retrospectively
|
||
tagged to events.
|
||
example: MITRE ATT&CK
|
||
- name: group.alias
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "The alias(es) of the group for a set of related intrusion activity\
|
||
\ that are tracked by a common name in the security community.\nWhile not\
|
||
\ required, you can use a MITRE ATT&CK\xAE group alias(es)."
|
||
example: '[ "Magecart Group 6" ]'
|
||
default_field: false
|
||
- name: group.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "The id of the group for a set of related intrusion activity that\
|
||
\ are tracked by a common name in the security community.\nWhile not required,\
|
||
\ you can use a MITRE ATT&CK\xAE group id."
|
||
example: G0037
|
||
default_field: false
|
||
- name: group.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "The name of the group for a set of related intrusion activity\
|
||
\ that are tracked by a common name in the security community.\nWhile not\
|
||
\ required, you can use a MITRE ATT&CK\xAE group name."
|
||
example: FIN6
|
||
default_field: false
|
||
- name: group.reference
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "The reference URL of the group for a set of related intrusion\
|
||
\ activity that are tracked by a common name in the security community.\n\
|
||
While not required, you can use a MITRE ATT&CK\xAE group reference URL."
|
||
example: https://attack.mitre.org/groups/G0037/
|
||
default_field: false
|
||
- name: indicator.as.number
|
||
level: extended
|
||
type: long
|
||
description: Unique number allocated to the autonomous system. The autonomous
|
||
system number (ASN) uniquely identifies each network on the Internet.
|
||
example: 15169
|
||
default_field: false
|
||
- name: indicator.as.organization.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: Organization name.
|
||
example: Google LLC
|
||
default_field: false
|
||
- name: indicator.confidence
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "Identifies the confidence rating assigned by the provider using\
|
||
\ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\
|
||
\ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\
|
||
\ * WEP Scale (Impossible - Certain)"
|
||
example: High
|
||
default_field: false
|
||
- name: indicator.description
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Describes the type of action conducted by the threat.
|
||
example: IP x.x.x.x was observed delivering the Angler EK.
|
||
default_field: false
|
||
- name: indicator.email.address
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Identifies a threat indicator as an email address (irrespective
|
||
of direction).
|
||
example: phish@example.com
|
||
default_field: false
|
||
- name: indicator.file.accessed
|
||
level: extended
|
||
type: date
|
||
description: 'Last time the file was accessed.
|
||
|
||
Note that not all filesystems keep track of access time.'
|
||
default_field: false
|
||
- name: indicator.file.attributes
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Array of file attributes.
|
||
|
||
Attributes names will vary by platform. Here''s a non-exhaustive list of values
|
||
that are expected in this field: archive, compressed, directory, encrypted,
|
||
execute, hidden, read, readonly, system, write.'
|
||
example: '["readonly", "system"]'
|
||
default_field: false
|
||
- name: indicator.file.code_signature.digest_algorithm
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The hashing algorithm used to sign the process.
|
||
|
||
This value can distinguish signatures when a file is signed multiple times
|
||
by the same signer but with a different digest algorithm.'
|
||
example: sha256
|
||
default_field: false
|
||
- name: indicator.file.code_signature.exists
|
||
level: core
|
||
type: boolean
|
||
description: Boolean to capture if a signature is present.
|
||
example: 'true'
|
||
default_field: false
|
||
- name: indicator.file.code_signature.signing_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The identifier used to sign the process.
|
||
|
||
This is used to identify the application manufactured by a software vendor.
|
||
The field is relevant to Apple *OS only.'
|
||
example: com.apple.xpc.proxy
|
||
default_field: false
|
||
- name: indicator.file.code_signature.status
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Additional information about the certificate status.
|
||
|
||
This is useful for logging cryptographic errors with the certificate validity
|
||
or trust status. Leave unpopulated if the validity or trust of the certificate
|
||
was unchecked.'
|
||
example: ERROR_UNTRUSTED_ROOT
|
||
default_field: false
|
||
- name: indicator.file.code_signature.subject_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Subject name of the code signer
|
||
example: Microsoft Corporation
|
||
default_field: false
|
||
- name: indicator.file.code_signature.team_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The team identifier used to sign the process.
|
||
|
||
This is used to identify the team or vendor of a software product. The field
|
||
is relevant to Apple *OS only.'
|
||
example: EQHXZ8M8AV
|
||
default_field: false
|
||
- name: indicator.file.code_signature.timestamp
|
||
level: extended
|
||
type: date
|
||
description: Date and time when the code signature was generated and signed.
|
||
example: '2021-01-01T12:10:30Z'
|
||
default_field: false
|
||
- name: indicator.file.code_signature.trusted
|
||
level: extended
|
||
type: boolean
|
||
description: 'Stores the trust status of the certificate chain.
|
||
|
||
Validating the trust of the certificate chain may be complicated, and this
|
||
field should only be populated by tools that actively check the status.'
|
||
example: 'true'
|
||
default_field: false
|
||
- name: indicator.file.code_signature.valid
|
||
level: extended
|
||
type: boolean
|
||
description: 'Boolean to capture if the digital signature is verified against
|
||
the binary content.
|
||
|
||
Leave unpopulated if a certificate was unchecked.'
|
||
example: 'true'
|
||
default_field: false
|
||
- name: indicator.file.created
|
||
level: extended
|
||
type: date
|
||
description: 'File creation time.
|
||
|
||
Note that not all filesystems store the creation time.'
|
||
default_field: false
|
||
- name: indicator.file.ctime
|
||
level: extended
|
||
type: date
|
||
description: 'Last time the file attributes or metadata changed.
|
||
|
||
Note that changes to the file content will update `mtime`. This implies `ctime`
|
||
will be adjusted at the same time, since `mtime` is an attribute of the file.'
|
||
default_field: false
|
||
- name: indicator.file.device
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Device that is the source of the file.
|
||
example: sda
|
||
default_field: false
|
||
- name: indicator.file.directory
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Directory where the file is located. It should include the drive
|
||
letter, when appropriate.
|
||
example: /home/alice
|
||
default_field: false
|
||
- name: indicator.file.drive_letter
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1
|
||
description: 'Drive letter where the file is located. This field is only relevant
|
||
on Windows.
|
||
|
||
The value should be uppercase, and not include the colon.'
|
||
example: C
|
||
default_field: false
|
||
- name: indicator.file.elf.architecture
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Machine architecture of the ELF file.
|
||
example: x86-64
|
||
default_field: false
|
||
- name: indicator.file.elf.byte_order
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Byte sequence of ELF file.
|
||
example: Little Endian
|
||
default_field: false
|
||
- name: indicator.file.elf.cpu_type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: CPU type of the ELF file.
|
||
example: Intel
|
||
default_field: false
|
||
- name: indicator.file.elf.creation_date
|
||
level: extended
|
||
type: date
|
||
description: Extracted when possible from the file's metadata. Indicates when
|
||
it was built or compiled. It can also be faked by malware creators.
|
||
default_field: false
|
||
- name: indicator.file.elf.exports
|
||
level: extended
|
||
type: flattened
|
||
description: List of exported element names and types.
|
||
default_field: false
|
||
- name: indicator.file.elf.header.abi_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of the ELF Application Binary Interface (ABI).
|
||
default_field: false
|
||
- name: indicator.file.elf.header.class
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Header class of the ELF file.
|
||
default_field: false
|
||
- name: indicator.file.elf.header.data
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Data table of the ELF header.
|
||
default_field: false
|
||
- name: indicator.file.elf.header.entrypoint
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: Header entrypoint of the ELF file.
|
||
default_field: false
|
||
- name: indicator.file.elf.header.object_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: '"0x1" for original ELF files.'
|
||
default_field: false
|
||
- name: indicator.file.elf.header.os_abi
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Application Binary Interface (ABI) of the Linux OS.
|
||
default_field: false
|
||
- name: indicator.file.elf.header.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Header type of the ELF file.
|
||
default_field: false
|
||
- name: indicator.file.elf.header.version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of the ELF header.
|
||
default_field: false
|
||
- name: indicator.file.elf.imports
|
||
level: extended
|
||
type: flattened
|
||
description: List of imported element names and types.
|
||
default_field: false
|
||
- name: indicator.file.elf.sections
|
||
level: extended
|
||
type: nested
|
||
description: 'An array containing an object for each section of the ELF file.
|
||
|
||
The keys that should be present in these objects are defined by sub-fields
|
||
underneath `elf.sections.*`.'
|
||
default_field: false
|
||
- name: indicator.file.elf.sections.chi2
|
||
level: extended
|
||
type: long
|
||
format: number
|
||
description: Chi-square probability distribution of the section.
|
||
default_field: false
|
||
- name: indicator.file.elf.sections.entropy
|
||
level: extended
|
||
type: long
|
||
format: number
|
||
description: Shannon entropy calculation from the section.
|
||
default_field: false
|
||
- name: indicator.file.elf.sections.flags
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List flags.
|
||
default_field: false
|
||
- name: indicator.file.elf.sections.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List name.
|
||
default_field: false
|
||
- name: indicator.file.elf.sections.physical_offset
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List offset.
|
||
default_field: false
|
||
- name: indicator.file.elf.sections.physical_size
|
||
level: extended
|
||
type: long
|
||
format: bytes
|
||
description: ELF Section List physical size.
|
||
default_field: false
|
||
- name: indicator.file.elf.sections.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF Section List type.
|
||
default_field: false
|
||
- name: indicator.file.elf.sections.virtual_address
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: ELF Section List virtual address.
|
||
default_field: false
|
||
- name: indicator.file.elf.sections.virtual_size
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: ELF Section List virtual size.
|
||
default_field: false
|
||
- name: indicator.file.elf.segments
|
||
level: extended
|
||
type: nested
|
||
description: 'An array containing an object for each segment of the ELF file.
|
||
|
||
The keys that should be present in these objects are defined by sub-fields
|
||
underneath `elf.segments.*`.'
|
||
default_field: false
|
||
- name: indicator.file.elf.segments.sections
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF object segment sections.
|
||
default_field: false
|
||
- name: indicator.file.elf.segments.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: ELF object segment type.
|
||
default_field: false
|
||
- name: indicator.file.elf.shared_libraries
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of shared libraries used by this ELF object.
|
||
default_field: false
|
||
- name: indicator.file.elf.telfhash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: telfhash symbol hash for ELF file.
|
||
default_field: false
|
||
- name: indicator.file.extension
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'File extension, excluding the leading dot.
|
||
|
||
Note that when the file name has multiple extensions (example.tar.gz), only
|
||
the last one should be captured ("gz", not "tar.gz").'
|
||
example: png
|
||
default_field: false
|
||
- name: indicator.file.fork_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'A fork is additional data associated with a filesystem object.
|
||
|
||
On Linux, a resource fork is used to store additional data with a filesystem
|
||
object. A file always has at least one fork for the data portion, and additional
|
||
forks may exist.
|
||
|
||
On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default
|
||
data stream for a file is just called $DATA. Zone.Identifier is commonly used
|
||
by Windows to track contents downloaded from the Internet. An ADS is typically
|
||
of the form: `C:\path\to\filename.extension:some_fork_name`, and `some_fork_name`
|
||
is the value that should populate `fork_name`. `filename.extension` should
|
||
populate `file.name`, and `extension` should populate `file.extension`. The
|
||
full path, `file.path`, will include the fork name.'
|
||
example: Zone.Identifer
|
||
default_field: false
|
||
- name: indicator.file.gid
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Primary group ID (GID) of the file.
|
||
example: '1001'
|
||
default_field: false
|
||
- name: indicator.file.group
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Primary group name of the file.
|
||
example: alice
|
||
default_field: false
|
||
- name: indicator.file.hash.md5
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: MD5 hash.
|
||
default_field: false
|
||
- name: indicator.file.hash.sha1
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA1 hash.
|
||
default_field: false
|
||
- name: indicator.file.hash.sha256
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA256 hash.
|
||
default_field: false
|
||
- name: indicator.file.hash.sha512
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SHA512 hash.
|
||
default_field: false
|
||
- name: indicator.file.hash.ssdeep
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: SSDEEP hash.
|
||
default_field: false
|
||
- name: indicator.file.inode
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Inode representing the file in the filesystem.
|
||
example: '256383'
|
||
default_field: false
|
||
- name: indicator.file.mime_type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: MIME type should identify the format of the file or stream of bytes
|
||
using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA
|
||
official types], where possible. When more than one type is applicable, the
|
||
most specific type should be used.
|
||
default_field: false
|
||
- name: indicator.file.mode
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Mode of the file in octal representation.
|
||
example: '0640'
|
||
default_field: false
|
||
- name: indicator.file.mtime
|
||
level: extended
|
||
type: date
|
||
description: Last time the file content was modified.
|
||
default_field: false
|
||
- name: indicator.file.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the file including the extension, without the directory.
|
||
example: example.png
|
||
default_field: false
|
||
- name: indicator.file.owner
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: File owner's username.
|
||
example: alice
|
||
default_field: false
|
||
- name: indicator.file.path
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: Full path to the file, including the file name. It should include
|
||
the drive letter, when appropriate.
|
||
example: /home/alice/example.png
|
||
default_field: false
|
||
- name: indicator.file.pe.architecture
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: CPU architecture target for the file.
|
||
example: x64
|
||
default_field: false
|
||
- name: indicator.file.pe.company
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal company name of the file, provided at compile-time.
|
||
example: Microsoft Corporation
|
||
default_field: false
|
||
- name: indicator.file.pe.description
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal description of the file, provided at compile-time.
|
||
example: Paint
|
||
default_field: false
|
||
- name: indicator.file.pe.file_version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal version of the file, provided at compile-time.
|
||
example: 6.3.9600.17415
|
||
default_field: false
|
||
- name: indicator.file.pe.imphash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'A hash of the imports in a PE file. An imphash -- or import hash
|
||
-- can be used to fingerprint binaries even after recompilation or other code-level
|
||
transformations have occurred, which would change more traditional hash values.
|
||
|
||
Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.'
|
||
example: 0c6803c4e922103c4dca5963aad36ddf
|
||
default_field: false
|
||
- name: indicator.file.pe.original_file_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal name of the file, provided at compile-time.
|
||
example: MSPAINT.EXE
|
||
default_field: false
|
||
- name: indicator.file.pe.product
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Internal product name of the file, provided at compile-time.
|
||
example: "Microsoft\xAE Windows\xAE Operating System"
|
||
default_field: false
|
||
- name: indicator.file.size
|
||
level: extended
|
||
type: long
|
||
description: 'File size in bytes.
|
||
|
||
Only relevant when `file.type` is "file".'
|
||
example: 16384
|
||
default_field: false
|
||
- name: indicator.file.target_path
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: Target path for symlinks.
|
||
default_field: false
|
||
- name: indicator.file.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: File type (file, dir, or symlink).
|
||
example: file
|
||
default_field: false
|
||
- name: indicator.file.uid
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The user ID (UID) or security identifier (SID) of the file owner.
|
||
example: '1001'
|
||
default_field: false
|
||
- name: indicator.first_seen
|
||
level: extended
|
||
type: date
|
||
description: The date and time when intelligence source first reported sighting
|
||
this indicator.
|
||
example: '2020-11-05T17:25:47.000Z'
|
||
default_field: false
|
||
- name: indicator.geo.city_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: City name.
|
||
example: Montreal
|
||
default_field: false
|
||
- name: indicator.geo.continent_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Two-letter code representing continent's name.
|
||
example: NA
|
||
default_field: false
|
||
- name: indicator.geo.continent_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the continent.
|
||
example: North America
|
||
default_field: false
|
||
- name: indicator.geo.country_iso_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Country ISO code.
|
||
example: CA
|
||
default_field: false
|
||
- name: indicator.geo.country_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Country name.
|
||
example: Canada
|
||
default_field: false
|
||
- name: indicator.geo.location
|
||
level: core
|
||
type: geo_point
|
||
description: Longitude and latitude.
|
||
example: '{ "lon": -73.614830, "lat": 45.505918 }'
|
||
default_field: false
|
||
- name: indicator.geo.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'User-defined description of a location, at the level of granularity
|
||
they care about.
|
||
|
||
Could be the name of their data centers, the floor number, if this describes
|
||
a local physical entity, city names.
|
||
|
||
Not typically used in automated geolocation.'
|
||
example: boston-dc
|
||
default_field: false
|
||
- name: indicator.geo.postal_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Postal code associated with the location.
|
||
|
||
Values appropriate for this field may also be known as a postcode or ZIP code
|
||
and will vary widely from country to country.'
|
||
example: 94040
|
||
default_field: false
|
||
- name: indicator.geo.region_iso_code
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Region ISO code.
|
||
example: CA-QC
|
||
default_field: false
|
||
- name: indicator.geo.region_name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Region name.
|
||
example: Quebec
|
||
default_field: false
|
||
- name: indicator.geo.timezone
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The time zone of the location, such as IANA time zone name.
|
||
example: America/Argentina/Buenos_Aires
|
||
default_field: false
|
||
- name: indicator.ip
|
||
level: extended
|
||
type: ip
|
||
description: Identifies a threat indicator as an IP address (irrespective of
|
||
direction).
|
||
example: 1.2.3.4
|
||
default_field: false
|
||
- name: indicator.last_seen
|
||
level: extended
|
||
type: date
|
||
description: The date and time when intelligence source last reported sighting
|
||
this indicator.
|
||
example: '2020-11-05T17:25:47.000Z'
|
||
default_field: false
|
||
- name: indicator.marking.tlp
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\
|
||
\ * WHITE\n * GREEN\n * AMBER\n * RED"
|
||
example: WHITE
|
||
default_field: false
|
||
- name: indicator.modified_at
|
||
level: extended
|
||
type: date
|
||
description: The date and time when intelligence source last modified information
|
||
for this indicator.
|
||
example: '2020-11-05T17:25:47.000Z'
|
||
default_field: false
|
||
- name: indicator.port
|
||
level: extended
|
||
type: long
|
||
description: Identifies a threat indicator as a port number (irrespective of
|
||
direction).
|
||
example: 443
|
||
default_field: false
|
||
- name: indicator.provider
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The name of the indicator's provider.
|
||
example: lrz_urlhaus
|
||
default_field: false
|
||
- name: indicator.reference
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Reference URL linking to additional information about this indicator.
|
||
example: https://system.example.com/indicator/0001234
|
||
default_field: false
|
||
- name: indicator.registry.data.bytes
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Original bytes written with base64 encoding.
|
||
|
||
For Windows registry operations, such as SetValueEx and RegQueryValueEx, this
|
||
corresponds to the data pointed by `lp_data`. This is optional but provides
|
||
better recoverability and should be populated for REG_BINARY encoded values.'
|
||
example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
|
||
default_field: false
|
||
- name: indicator.registry.data.strings
|
||
level: core
|
||
type: wildcard
|
||
description: 'Content when writing string types.
|
||
|
||
Populated as an array when writing string data to the registry. For single
|
||
string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with
|
||
one string. For sequences of string with REG_MULTI_SZ, this array will be
|
||
variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should
|
||
be populated with the decimal representation (e.g `"1"`).'
|
||
example: '["C:\rta\red_ttp\bin\myapp.exe"]'
|
||
default_field: false
|
||
- name: indicator.registry.data.type
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Standard registry type for encoding contents
|
||
example: REG_SZ
|
||
default_field: false
|
||
- name: indicator.registry.hive
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Abbreviated name for the hive.
|
||
example: HKLM
|
||
default_field: false
|
||
- name: indicator.registry.key
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Hive-relative path of keys.
|
||
example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
|
||
default_field: false
|
||
- name: indicator.registry.path
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Full path, including hive, key and value
|
||
example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
|
||
Options\winword.exe\Debugger
|
||
default_field: false
|
||
- name: indicator.registry.value
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the value written.
|
||
example: Debugger
|
||
default_field: false
|
||
- name: indicator.scanner_stats
|
||
level: extended
|
||
type: long
|
||
description: Count of AV/EDR vendors that successfully detected malicious file
|
||
or URL.
|
||
example: 4
|
||
default_field: false
|
||
- name: indicator.sightings
|
||
level: extended
|
||
type: long
|
||
description: Number of times this indicator was observed conducting threat activity.
|
||
example: 20
|
||
default_field: false
|
||
- name: indicator.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\
|
||
Recommended values:\n * autonomous-system\n * artifact\n * directory\n\
|
||
\ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\
|
||
\ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \
|
||
\ * user-account\n * windows-registry-key\n * x509-certificate"
|
||
example: ipv4-addr
|
||
default_field: false
|
||
- name: indicator.url.domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Domain of the url, such as "www.elastic.co".
|
||
|
||
In some cases a URL may refer to an IP and/or port directly, without a domain
|
||
name. In this case, the IP address would go to the `domain` field.
|
||
|
||
If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
|
||
2732), the `[` and `]` characters should also be captured in the `domain`
|
||
field.'
|
||
example: www.elastic.co
|
||
default_field: false
|
||
- name: indicator.url.extension
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The field contains the file extension from the original request
|
||
url, excluding the leading dot.
|
||
|
||
The file extension is only set if it exists, as not every url has a file extension.
|
||
|
||
The leading period must not be included. For example, the value must be "png",
|
||
not ".png".
|
||
|
||
Note that when the file name has multiple extensions (example.tar.gz), only
|
||
the last one should be captured ("gz", not "tar.gz").'
|
||
example: png
|
||
default_field: false
|
||
- name: indicator.url.fragment
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Portion of the url after the `#`, such as "top".
|
||
|
||
The `#` is not part of the fragment.'
|
||
default_field: false
|
||
- name: indicator.url.full
|
||
level: extended
|
||
type: wildcard
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: If full URLs are important to your use case, they should be stored
|
||
in `url.full`, whether this field is reconstructed or present in the event
|
||
source.
|
||
example: https://www.elastic.co:443/search?q=elasticsearch#top
|
||
default_field: false
|
||
- name: indicator.url.original
|
||
level: extended
|
||
type: wildcard
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: 'Unmodified original url as seen in the event source.
|
||
|
||
Note that in network monitoring, the observed URL may be a full URL, whereas
|
||
in access logs, the URL is often just represented as a path.
|
||
|
||
This field is meant to represent the URL as it was observed, complete or not.'
|
||
example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
|
||
default_field: false
|
||
- name: indicator.url.password
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Password of the request.
|
||
default_field: false
|
||
- name: indicator.url.path
|
||
level: extended
|
||
type: wildcard
|
||
description: Path of the request, such as "/search".
|
||
default_field: false
|
||
- name: indicator.url.port
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: Port of the request, such as 443.
|
||
example: 443
|
||
default_field: false
|
||
- name: indicator.url.query
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The query field describes the query string of the request, such
|
||
as "q=elasticsearch".
|
||
|
||
The `?` is excluded from the query string. If a URL contains no `?`, there
|
||
is no query field. If there is a `?` but no query, the query field exists
|
||
with an empty string. The `exists` query can be used to differentiate between
|
||
the two cases.'
|
||
default_field: false
|
||
- name: indicator.url.registered_domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The highest registered url domain, stripped of the subdomain.
|
||
|
||
For example, the registered domain for "foo.example.com" is "example.com".
|
||
|
||
This value can be determined precisely with a list like the public suffix
|
||
list (http://publicsuffix.org). Trying to approximate this by simply taking
|
||
the last two labels will not work well for TLDs such as "co.uk".'
|
||
example: example.com
|
||
default_field: false
|
||
- name: indicator.url.scheme
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Scheme of the request, such as "https".
|
||
|
||
Note: The `:` is not part of the scheme.'
|
||
example: https
|
||
default_field: false
|
||
- name: indicator.url.subdomain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The subdomain portion of a fully qualified domain name includes
|
||
all of the names except the host name under the registered_domain. In a partially
|
||
qualified domain, or if the the qualification level of the full name cannot
|
||
be determined, subdomain contains all of the names below the registered domain.
|
||
|
||
For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
|
||
If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
|
||
the subdomain field should contain "sub2.sub1", with no trailing period.'
|
||
example: east
|
||
default_field: false
|
||
- name: indicator.url.top_level_domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The effective top level domain (eTLD), also known as the domain
|
||
suffix, is the last part of the domain name. For example, the top level domain
|
||
for example.com is "com".
|
||
|
||
This value can be determined precisely with a list like the public suffix
|
||
list (http://publicsuffix.org). Trying to approximate this by simply taking
|
||
the last label will not work well for effective TLDs such as "co.uk".'
|
||
example: co.uk
|
||
default_field: false
|
||
- name: indicator.url.username
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Username of the request.
|
||
default_field: false
|
||
- name: indicator.x509.alternative_names
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of subject alternative names (SAN). Name types vary by certificate
|
||
authority and certificate type but commonly contain IP addresses, DNS names
|
||
(and wildcards), and email addresses.
|
||
example: '*.elastic.co'
|
||
default_field: false
|
||
- name: indicator.x509.issuer.common_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of common name (CN) of issuing certificate authority.
|
||
example: Example SHA2 High Assurance Server CA
|
||
default_field: false
|
||
- name: indicator.x509.issuer.country
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of country (C) codes
|
||
example: US
|
||
default_field: false
|
||
- name: indicator.x509.issuer.distinguished_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Distinguished name (DN) of issuing certificate authority.
|
||
example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
|
||
Server CA
|
||
default_field: false
|
||
- name: indicator.x509.issuer.locality
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of locality names (L)
|
||
example: Mountain View
|
||
default_field: false
|
||
- name: indicator.x509.issuer.organization
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizations (O) of issuing certificate authority.
|
||
example: Example Inc
|
||
default_field: false
|
||
- name: indicator.x509.issuer.organizational_unit
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizational units (OU) of issuing certificate authority.
|
||
example: www.example.com
|
||
default_field: false
|
||
- name: indicator.x509.issuer.state_or_province
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of state or province names (ST, S, or P)
|
||
example: California
|
||
default_field: false
|
||
- name: indicator.x509.not_after
|
||
level: extended
|
||
type: date
|
||
description: Time at which the certificate is no longer considered valid.
|
||
example: 2020-07-16 03:15:39+00:00
|
||
default_field: false
|
||
- name: indicator.x509.not_before
|
||
level: extended
|
||
type: date
|
||
description: Time at which the certificate is first considered valid.
|
||
example: 2019-08-16 01:40:25+00:00
|
||
default_field: false
|
||
- name: indicator.x509.public_key_algorithm
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Algorithm used to generate the public key.
|
||
example: RSA
|
||
default_field: false
|
||
- name: indicator.x509.public_key_curve
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The curve used by the elliptic curve public key algorithm. This
|
||
is algorithm specific.
|
||
example: nistp521
|
||
default_field: false
|
||
- name: indicator.x509.public_key_exponent
|
||
level: extended
|
||
type: long
|
||
description: Exponent used to derive the public key. This is algorithm specific.
|
||
example: 65537
|
||
index: false
|
||
doc_values: false
|
||
default_field: false
|
||
- name: indicator.x509.public_key_size
|
||
level: extended
|
||
type: long
|
||
description: The size of the public key space in bits.
|
||
example: 2048
|
||
default_field: false
|
||
- name: indicator.x509.serial_number
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique serial number issued by the certificate authority. For consistency,
|
||
if this value is alphanumeric, it should be formatted without colons and uppercase
|
||
characters.
|
||
example: 55FBB9C7DEBF09809D12CCAA
|
||
default_field: false
|
||
- name: indicator.x509.signature_algorithm
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Identifier for certificate signature algorithm. We recommend using
|
||
names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
|
||
example: SHA256-RSA
|
||
default_field: false
|
||
- name: indicator.x509.subject.common_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of common names (CN) of subject.
|
||
example: shared.global.example.net
|
||
default_field: false
|
||
- name: indicator.x509.subject.country
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of country (C) code
|
||
example: US
|
||
default_field: false
|
||
- name: indicator.x509.subject.distinguished_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Distinguished name (DN) of the certificate subject entity.
|
||
example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
|
||
default_field: false
|
||
- name: indicator.x509.subject.locality
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of locality names (L)
|
||
example: San Francisco
|
||
default_field: false
|
||
- name: indicator.x509.subject.organization
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizations (O) of subject.
|
||
example: Example, Inc.
|
||
default_field: false
|
||
- name: indicator.x509.subject.organizational_unit
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizational units (OU) of subject.
|
||
default_field: false
|
||
- name: indicator.x509.subject.state_or_province
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of state or province names (ST, S, or P)
|
||
example: California
|
||
default_field: false
|
||
- name: indicator.x509.version_number
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of x509 format.
|
||
example: 3
|
||
default_field: false
|
||
- name: software.alias
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "The alias(es) of the software for a set of related intrusion activity\
|
||
\ that are tracked by a common name in the security community.\nWhile not\
|
||
\ required, you can use a MITRE ATT&CK\xAE associated software description."
|
||
example: '[ "X-Agent" ]'
|
||
default_field: false
|
||
- name: software.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "The id of the software used by this threat to conduct behavior\
|
||
\ commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use\
|
||
\ a MITRE ATT&CK\xAE software id."
|
||
example: S0552
|
||
default_field: false
|
||
- name: software.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "The name of the software used by this threat to conduct behavior\
|
||
\ commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you can use\
|
||
\ a MITRE ATT&CK\xAE software name."
|
||
example: AdFind
|
||
default_field: false
|
||
- name: software.platforms
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "The platforms of the software used by this threat to conduct behavior\
|
||
\ commonly modeled using MITRE ATT&CK\xAE.\nRecommended Values:\n * AWS\n\
|
||
\ * Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n *\
|
||
\ Office 365\n * SaaS\n * Windows\n\nWhile not required, you can use a MITRE\
|
||
\ ATT&CK\xAE software platforms."
|
||
example: '[ "Windows" ]'
|
||
default_field: false
|
||
- name: software.reference
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "The reference URL of the software used by this threat to conduct\
|
||
\ behavior commonly modeled using MITRE ATT&CK\xAE.\nWhile not required, you\
|
||
\ can use a MITRE ATT&CK\xAE software reference URL."
|
||
example: https://attack.mitre.org/software/S0552/
|
||
default_field: false
|
||
- name: software.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "The type of software used by this threat to conduct behavior commonly\
|
||
\ modeled using MITRE ATT&CK\xAE.\nRecommended values\n * Malware\n * Tool\n\
|
||
\n While not required, you can use a MITRE ATT&CK\xAE software type."
|
||
example: Tool
|
||
default_field: false
|
||
- name: tactic.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\
|
||
\ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )"
|
||
example: TA0002
|
||
- name: tactic.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "Name of the type of tactic used by this threat. You can use a\
|
||
\ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)"
|
||
example: Execution
|
||
- name: tactic.reference
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "The reference url of tactic used by this threat. You can use a\
|
||
\ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\
|
||
\ )"
|
||
example: https://attack.mitre.org/tactics/TA0002/
|
||
- name: technique.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\
|
||
\ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
|
||
example: T1059
|
||
- name: technique.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: "The name of technique used by this threat. You can use a MITRE\
|
||
\ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
|
||
example: Command and Scripting Interpreter
|
||
- name: technique.reference
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "The reference url of technique used by this threat. You can use\
|
||
\ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
|
||
example: https://attack.mitre.org/techniques/T1059/
|
||
- name: technique.subtechnique.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "The full id of subtechnique used by this threat. You can use a\
|
||
\ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
|
||
example: T1059.001
|
||
default_field: false
|
||
- name: technique.subtechnique.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: "The name of subtechnique used by this threat. You can use a MITRE\
|
||
\ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
|
||
example: PowerShell
|
||
default_field: false
|
||
- name: technique.subtechnique.reference
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: "The reference url of subtechnique used by this threat. You can\
|
||
\ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
|
||
example: https://attack.mitre.org/techniques/T1059/001/
|
||
default_field: false
|
||
- name: tls
|
||
title: TLS
|
||
group: 2
|
||
description: Fields related to a TLS connection. These fields focus on the TLS
|
||
protocol itself and intentionally avoids in-depth analysis of the related x.509
|
||
certificate files.
|
||
type: group
|
||
fields:
|
||
- name: cipher
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: String indicating the cipher used during the current connection.
|
||
example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
||
default_field: false
|
||
- name: client.certificate
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: PEM-encoded stand-alone certificate offered by the client. This
|
||
is usually mutually-exclusive of `client.certificate_chain` since this value
|
||
also exists in that list.
|
||
example: MII...
|
||
default_field: false
|
||
- name: client.certificate_chain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Array of PEM-encoded certificates that make up the certificate
|
||
chain offered by the client. This is usually mutually-exclusive of `client.certificate`
|
||
since that value should be the first certificate in the chain.
|
||
example: '["MII...", "MII..."]'
|
||
default_field: false
|
||
- name: client.hash.md5
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Certificate fingerprint using the MD5 digest of DER-encoded version
|
||
of certificate offered by the client. For consistency with other hash values,
|
||
this value should be formatted as an uppercase hash.
|
||
example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
|
||
default_field: false
|
||
- name: client.hash.sha1
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Certificate fingerprint using the SHA1 digest of DER-encoded version
|
||
of certificate offered by the client. For consistency with other hash values,
|
||
this value should be formatted as an uppercase hash.
|
||
example: 9E393D93138888D288266C2D915214D1D1CCEB2A
|
||
default_field: false
|
||
- name: client.hash.sha256
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Certificate fingerprint using the SHA256 digest of DER-encoded
|
||
version of certificate offered by the client. For consistency with other hash
|
||
values, this value should be formatted as an uppercase hash.
|
||
example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
|
||
default_field: false
|
||
- name: client.issuer
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Distinguished name of subject of the issuer of the x.509 certificate
|
||
presented by the client.
|
||
example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
|
||
default_field: false
|
||
- name: client.ja3
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: A hash that identifies clients based on how they perform an SSL/TLS
|
||
handshake.
|
||
example: d4e5b18d6b55c71272893221c96ba240
|
||
default_field: false
|
||
- name: client.not_after
|
||
level: extended
|
||
type: date
|
||
description: Date/Time indicating when client certificate is no longer considered
|
||
valid.
|
||
example: '2021-01-01T00:00:00.000Z'
|
||
default_field: false
|
||
- name: client.not_before
|
||
level: extended
|
||
type: date
|
||
description: Date/Time indicating when client certificate is first considered
|
||
valid.
|
||
example: '1970-01-01T00:00:00.000Z'
|
||
default_field: false
|
||
- name: client.server_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Also called an SNI, this tells the server which hostname to which
|
||
the client is attempting to connect to. When this value is available, it should
|
||
get copied to `destination.domain`.
|
||
example: www.elastic.co
|
||
default_field: false
|
||
- name: client.subject
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Distinguished name of subject of the x.509 certificate presented
|
||
by the client.
|
||
example: CN=myclient, OU=Documentation Team, DC=example, DC=com
|
||
default_field: false
|
||
- name: client.supported_ciphers
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Array of ciphers offered by the client during the client hello.
|
||
example: '["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
||
"..."]'
|
||
default_field: false
|
||
- name: client.x509.alternative_names
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of subject alternative names (SAN). Name types vary by certificate
|
||
authority and certificate type but commonly contain IP addresses, DNS names
|
||
(and wildcards), and email addresses.
|
||
example: '*.elastic.co'
|
||
default_field: false
|
||
- name: client.x509.issuer.common_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of common name (CN) of issuing certificate authority.
|
||
example: Example SHA2 High Assurance Server CA
|
||
default_field: false
|
||
- name: client.x509.issuer.country
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of country (C) codes
|
||
example: US
|
||
default_field: false
|
||
- name: client.x509.issuer.distinguished_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Distinguished name (DN) of issuing certificate authority.
|
||
example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
|
||
Server CA
|
||
default_field: false
|
||
- name: client.x509.issuer.locality
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of locality names (L)
|
||
example: Mountain View
|
||
default_field: false
|
||
- name: client.x509.issuer.organization
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizations (O) of issuing certificate authority.
|
||
example: Example Inc
|
||
default_field: false
|
||
- name: client.x509.issuer.organizational_unit
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizational units (OU) of issuing certificate authority.
|
||
example: www.example.com
|
||
default_field: false
|
||
- name: client.x509.issuer.state_or_province
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of state or province names (ST, S, or P)
|
||
example: California
|
||
default_field: false
|
||
- name: client.x509.not_after
|
||
level: extended
|
||
type: date
|
||
description: Time at which the certificate is no longer considered valid.
|
||
example: 2020-07-16 03:15:39+00:00
|
||
default_field: false
|
||
- name: client.x509.not_before
|
||
level: extended
|
||
type: date
|
||
description: Time at which the certificate is first considered valid.
|
||
example: 2019-08-16 01:40:25+00:00
|
||
default_field: false
|
||
- name: client.x509.public_key_algorithm
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Algorithm used to generate the public key.
|
||
example: RSA
|
||
default_field: false
|
||
- name: client.x509.public_key_curve
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The curve used by the elliptic curve public key algorithm. This
|
||
is algorithm specific.
|
||
example: nistp521
|
||
default_field: false
|
||
- name: client.x509.public_key_exponent
|
||
level: extended
|
||
type: long
|
||
description: Exponent used to derive the public key. This is algorithm specific.
|
||
example: 65537
|
||
index: false
|
||
doc_values: false
|
||
default_field: false
|
||
- name: client.x509.public_key_size
|
||
level: extended
|
||
type: long
|
||
description: The size of the public key space in bits.
|
||
example: 2048
|
||
default_field: false
|
||
- name: client.x509.serial_number
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique serial number issued by the certificate authority. For consistency,
|
||
if this value is alphanumeric, it should be formatted without colons and uppercase
|
||
characters.
|
||
example: 55FBB9C7DEBF09809D12CCAA
|
||
default_field: false
|
||
- name: client.x509.signature_algorithm
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Identifier for certificate signature algorithm. We recommend using
|
||
names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
|
||
example: SHA256-RSA
|
||
default_field: false
|
||
- name: client.x509.subject.common_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of common names (CN) of subject.
|
||
example: shared.global.example.net
|
||
default_field: false
|
||
- name: client.x509.subject.country
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of country (C) code
|
||
example: US
|
||
default_field: false
|
||
- name: client.x509.subject.distinguished_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Distinguished name (DN) of the certificate subject entity.
|
||
example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
|
||
default_field: false
|
||
- name: client.x509.subject.locality
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of locality names (L)
|
||
example: San Francisco
|
||
default_field: false
|
||
- name: client.x509.subject.organization
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizations (O) of subject.
|
||
example: Example, Inc.
|
||
default_field: false
|
||
- name: client.x509.subject.organizational_unit
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizational units (OU) of subject.
|
||
default_field: false
|
||
- name: client.x509.subject.state_or_province
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of state or province names (ST, S, or P)
|
||
example: California
|
||
default_field: false
|
||
- name: client.x509.version_number
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of x509 format.
|
||
example: 3
|
||
default_field: false
|
||
- name: curve
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: String indicating the curve used for the given cipher, when applicable.
|
||
example: secp256r1
|
||
default_field: false
|
||
- name: established
|
||
level: extended
|
||
type: boolean
|
||
description: Boolean flag indicating if the TLS negotiation was successful and
|
||
transitioned to an encrypted tunnel.
|
||
default_field: false
|
||
- name: next_protocol
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: String indicating the protocol being tunneled. Per the values in
|
||
the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids),
|
||
this string should be lower case.
|
||
example: http/1.1
|
||
default_field: false
|
||
- name: resumed
|
||
level: extended
|
||
type: boolean
|
||
description: Boolean flag indicating if this TLS connection was resumed from
|
||
an existing TLS negotiation.
|
||
default_field: false
|
||
- name: server.certificate
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: PEM-encoded stand-alone certificate offered by the server. This
|
||
is usually mutually-exclusive of `server.certificate_chain` since this value
|
||
also exists in that list.
|
||
example: MII...
|
||
default_field: false
|
||
- name: server.certificate_chain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Array of PEM-encoded certificates that make up the certificate
|
||
chain offered by the server. This is usually mutually-exclusive of `server.certificate`
|
||
since that value should be the first certificate in the chain.
|
||
example: '["MII...", "MII..."]'
|
||
default_field: false
|
||
- name: server.hash.md5
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Certificate fingerprint using the MD5 digest of DER-encoded version
|
||
of certificate offered by the server. For consistency with other hash values,
|
||
this value should be formatted as an uppercase hash.
|
||
example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
|
||
default_field: false
|
||
- name: server.hash.sha1
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Certificate fingerprint using the SHA1 digest of DER-encoded version
|
||
of certificate offered by the server. For consistency with other hash values,
|
||
this value should be formatted as an uppercase hash.
|
||
example: 9E393D93138888D288266C2D915214D1D1CCEB2A
|
||
default_field: false
|
||
- name: server.hash.sha256
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Certificate fingerprint using the SHA256 digest of DER-encoded
|
||
version of certificate offered by the server. For consistency with other hash
|
||
values, this value should be formatted as an uppercase hash.
|
||
example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
|
||
default_field: false
|
||
- name: server.issuer
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Subject of the issuer of the x.509 certificate presented by the
|
||
server.
|
||
example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
|
||
default_field: false
|
||
- name: server.ja3s
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: A hash that identifies servers based on how they perform an SSL/TLS
|
||
handshake.
|
||
example: 394441ab65754e2207b1e1b457b3641d
|
||
default_field: false
|
||
- name: server.not_after
|
||
level: extended
|
||
type: date
|
||
description: Timestamp indicating when server certificate is no longer considered
|
||
valid.
|
||
example: '2021-01-01T00:00:00.000Z'
|
||
default_field: false
|
||
- name: server.not_before
|
||
level: extended
|
||
type: date
|
||
description: Timestamp indicating when server certificate is first considered
|
||
valid.
|
||
example: '1970-01-01T00:00:00.000Z'
|
||
default_field: false
|
||
- name: server.subject
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Subject of the x.509 certificate presented by the server.
|
||
example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com
|
||
default_field: false
|
||
- name: server.x509.alternative_names
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of subject alternative names (SAN). Name types vary by certificate
|
||
authority and certificate type but commonly contain IP addresses, DNS names
|
||
(and wildcards), and email addresses.
|
||
example: '*.elastic.co'
|
||
default_field: false
|
||
- name: server.x509.issuer.common_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of common name (CN) of issuing certificate authority.
|
||
example: Example SHA2 High Assurance Server CA
|
||
default_field: false
|
||
- name: server.x509.issuer.country
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of country (C) codes
|
||
example: US
|
||
default_field: false
|
||
- name: server.x509.issuer.distinguished_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Distinguished name (DN) of issuing certificate authority.
|
||
example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
|
||
Server CA
|
||
default_field: false
|
||
- name: server.x509.issuer.locality
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of locality names (L)
|
||
example: Mountain View
|
||
default_field: false
|
||
- name: server.x509.issuer.organization
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizations (O) of issuing certificate authority.
|
||
example: Example Inc
|
||
default_field: false
|
||
- name: server.x509.issuer.organizational_unit
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizational units (OU) of issuing certificate authority.
|
||
example: www.example.com
|
||
default_field: false
|
||
- name: server.x509.issuer.state_or_province
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of state or province names (ST, S, or P)
|
||
example: California
|
||
default_field: false
|
||
- name: server.x509.not_after
|
||
level: extended
|
||
type: date
|
||
description: Time at which the certificate is no longer considered valid.
|
||
example: 2020-07-16 03:15:39+00:00
|
||
default_field: false
|
||
- name: server.x509.not_before
|
||
level: extended
|
||
type: date
|
||
description: Time at which the certificate is first considered valid.
|
||
example: 2019-08-16 01:40:25+00:00
|
||
default_field: false
|
||
- name: server.x509.public_key_algorithm
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Algorithm used to generate the public key.
|
||
example: RSA
|
||
default_field: false
|
||
- name: server.x509.public_key_curve
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The curve used by the elliptic curve public key algorithm. This
|
||
is algorithm specific.
|
||
example: nistp521
|
||
default_field: false
|
||
- name: server.x509.public_key_exponent
|
||
level: extended
|
||
type: long
|
||
description: Exponent used to derive the public key. This is algorithm specific.
|
||
example: 65537
|
||
index: false
|
||
doc_values: false
|
||
default_field: false
|
||
- name: server.x509.public_key_size
|
||
level: extended
|
||
type: long
|
||
description: The size of the public key space in bits.
|
||
example: 2048
|
||
default_field: false
|
||
- name: server.x509.serial_number
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique serial number issued by the certificate authority. For consistency,
|
||
if this value is alphanumeric, it should be formatted without colons and uppercase
|
||
characters.
|
||
example: 55FBB9C7DEBF09809D12CCAA
|
||
default_field: false
|
||
- name: server.x509.signature_algorithm
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Identifier for certificate signature algorithm. We recommend using
|
||
names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
|
||
example: SHA256-RSA
|
||
default_field: false
|
||
- name: server.x509.subject.common_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of common names (CN) of subject.
|
||
example: shared.global.example.net
|
||
default_field: false
|
||
- name: server.x509.subject.country
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of country (C) code
|
||
example: US
|
||
default_field: false
|
||
- name: server.x509.subject.distinguished_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Distinguished name (DN) of the certificate subject entity.
|
||
example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
|
||
default_field: false
|
||
- name: server.x509.subject.locality
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of locality names (L)
|
||
example: San Francisco
|
||
default_field: false
|
||
- name: server.x509.subject.organization
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizations (O) of subject.
|
||
example: Example, Inc.
|
||
default_field: false
|
||
- name: server.x509.subject.organizational_unit
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizational units (OU) of subject.
|
||
default_field: false
|
||
- name: server.x509.subject.state_or_province
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of state or province names (ST, S, or P)
|
||
example: California
|
||
default_field: false
|
||
- name: server.x509.version_number
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of x509 format.
|
||
example: 3
|
||
default_field: false
|
||
- name: version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Numeric part of the version parsed from the original string.
|
||
example: '1.2'
|
||
default_field: false
|
||
- name: version_protocol
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Normalized lowercase protocol name parsed from original string.
|
||
example: tls
|
||
default_field: false
|
||
- name: span.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Unique identifier of the span within the scope of its trace.
|
||
|
||
A span represents an operation within a transaction, such as a request to another
|
||
service, or a database query.'
|
||
example: 3ff9a8981b7ccd5a
|
||
default_field: false
|
||
- name: trace.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Unique identifier of the trace.
|
||
|
||
A trace groups multiple events like transactions that belong together. For example,
|
||
a user request handled by multiple inter-connected services.'
|
||
example: 4bf92f3577b34da6a3ce929d0e0e4736
|
||
- name: transaction.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Unique identifier of the transaction within the scope of its trace.
|
||
|
||
A transaction is the highest level of work measured within a service, such as
|
||
a request to a server.'
|
||
example: 00f067aa0ba902b7
|
||
- name: url
|
||
title: URL
|
||
group: 2
|
||
description: URL fields provide support for complete or partial URLs, and supports
|
||
the breaking down into scheme, domain, path, and so on.
|
||
type: group
|
||
fields:
|
||
- name: domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Domain of the url, such as "www.elastic.co".
|
||
|
||
In some cases a URL may refer to an IP and/or port directly, without a domain
|
||
name. In this case, the IP address would go to the `domain` field.
|
||
|
||
If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC
|
||
2732), the `[` and `]` characters should also be captured in the `domain`
|
||
field.'
|
||
example: www.elastic.co
|
||
- name: extension
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The field contains the file extension from the original request
|
||
url, excluding the leading dot.
|
||
|
||
The file extension is only set if it exists, as not every url has a file extension.
|
||
|
||
The leading period must not be included. For example, the value must be "png",
|
||
not ".png".
|
||
|
||
Note that when the file name has multiple extensions (example.tar.gz), only
|
||
the last one should be captured ("gz", not "tar.gz").'
|
||
example: png
|
||
- name: fragment
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Portion of the url after the `#`, such as "top".
|
||
|
||
The `#` is not part of the fragment.'
|
||
- name: full
|
||
level: extended
|
||
type: wildcard
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: If full URLs are important to your use case, they should be stored
|
||
in `url.full`, whether this field is reconstructed or present in the event
|
||
source.
|
||
example: https://www.elastic.co:443/search?q=elasticsearch#top
|
||
- name: original
|
||
level: extended
|
||
type: wildcard
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: 'Unmodified original url as seen in the event source.
|
||
|
||
Note that in network monitoring, the observed URL may be a full URL, whereas
|
||
in access logs, the URL is often just represented as a path.
|
||
|
||
This field is meant to represent the URL as it was observed, complete or not.'
|
||
example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
|
||
- name: password
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Password of the request.
|
||
- name: path
|
||
level: extended
|
||
type: wildcard
|
||
description: Path of the request, such as "/search".
|
||
- name: port
|
||
level: extended
|
||
type: long
|
||
format: string
|
||
description: Port of the request, such as 443.
|
||
example: 443
|
||
- name: query
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The query field describes the query string of the request, such
|
||
as "q=elasticsearch".
|
||
|
||
The `?` is excluded from the query string. If a URL contains no `?`, there
|
||
is no query field. If there is a `?` but no query, the query field exists
|
||
with an empty string. The `exists` query can be used to differentiate between
|
||
the two cases.'
|
||
- name: registered_domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The highest registered url domain, stripped of the subdomain.
|
||
|
||
For example, the registered domain for "foo.example.com" is "example.com".
|
||
|
||
This value can be determined precisely with a list like the public suffix
|
||
list (http://publicsuffix.org). Trying to approximate this by simply taking
|
||
the last two labels will not work well for TLDs such as "co.uk".'
|
||
example: example.com
|
||
- name: scheme
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Scheme of the request, such as "https".
|
||
|
||
Note: The `:` is not part of the scheme.'
|
||
example: https
|
||
- name: subdomain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The subdomain portion of a fully qualified domain name includes
|
||
all of the names except the host name under the registered_domain. In a partially
|
||
qualified domain, or if the the qualification level of the full name cannot
|
||
be determined, subdomain contains all of the names below the registered domain.
|
||
|
||
For example the subdomain portion of "www.east.mydomain.co.uk" is "east".
|
||
If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com",
|
||
the subdomain field should contain "sub2.sub1", with no trailing period.'
|
||
example: east
|
||
default_field: false
|
||
- name: top_level_domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The effective top level domain (eTLD), also known as the domain
|
||
suffix, is the last part of the domain name. For example, the top level domain
|
||
for example.com is "com".
|
||
|
||
This value can be determined precisely with a list like the public suffix
|
||
list (http://publicsuffix.org). Trying to approximate this by simply taking
|
||
the last label will not work well for effective TLDs such as "co.uk".'
|
||
example: co.uk
|
||
- name: username
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Username of the request.
|
||
- name: user
|
||
title: User
|
||
group: 2
|
||
description: 'The user fields describe information about the user that is relevant
|
||
to the event.
|
||
|
||
Fields can have one entry or multiple entries. If a user has more than one id,
|
||
provide an array that includes all of them.'
|
||
type: group
|
||
fields:
|
||
- name: changes.domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the directory the user is a member of.
|
||
|
||
For example, an LDAP or Active Directory domain name.'
|
||
default_field: false
|
||
- name: changes.email
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: User email address.
|
||
default_field: false
|
||
- name: changes.full_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: User's full name, if available.
|
||
example: Albert Einstein
|
||
default_field: false
|
||
- name: changes.group.domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the directory the group is a member of.
|
||
|
||
For example, an LDAP or Active Directory domain name.'
|
||
default_field: false
|
||
- name: changes.group.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier for the group on the system/platform.
|
||
default_field: false
|
||
- name: changes.group.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the group.
|
||
default_field: false
|
||
- name: changes.hash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Unique user hash to correlate information for a user in anonymized
|
||
form.
|
||
|
||
Useful if `user.id` or `user.name` contain confidential information and cannot
|
||
be used.'
|
||
default_field: false
|
||
- name: changes.id
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier of the user.
|
||
example: S-1-5-21-202424912787-2692429404-2351956786-1000
|
||
default_field: false
|
||
- name: changes.name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: Short name or login of the user.
|
||
example: a.einstein
|
||
default_field: false
|
||
- name: changes.roles
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Array of user roles at the time of the event.
|
||
example: '["kibana_admin", "reporting_user"]'
|
||
default_field: false
|
||
- name: domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the directory the user is a member of.
|
||
|
||
For example, an LDAP or Active Directory domain name.'
|
||
- name: effective.domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the directory the user is a member of.
|
||
|
||
For example, an LDAP or Active Directory domain name.'
|
||
default_field: false
|
||
- name: effective.email
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: User email address.
|
||
default_field: false
|
||
- name: effective.full_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: User's full name, if available.
|
||
example: Albert Einstein
|
||
default_field: false
|
||
- name: effective.group.domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the directory the group is a member of.
|
||
|
||
For example, an LDAP or Active Directory domain name.'
|
||
default_field: false
|
||
- name: effective.group.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier for the group on the system/platform.
|
||
default_field: false
|
||
- name: effective.group.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the group.
|
||
default_field: false
|
||
- name: effective.hash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Unique user hash to correlate information for a user in anonymized
|
||
form.
|
||
|
||
Useful if `user.id` or `user.name` contain confidential information and cannot
|
||
be used.'
|
||
default_field: false
|
||
- name: effective.id
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier of the user.
|
||
example: S-1-5-21-202424912787-2692429404-2351956786-1000
|
||
default_field: false
|
||
- name: effective.name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: Short name or login of the user.
|
||
example: a.einstein
|
||
default_field: false
|
||
- name: effective.roles
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Array of user roles at the time of the event.
|
||
example: '["kibana_admin", "reporting_user"]'
|
||
default_field: false
|
||
- name: email
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: User email address.
|
||
- name: full_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: User's full name, if available.
|
||
example: Albert Einstein
|
||
- name: group.domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the directory the group is a member of.
|
||
|
||
For example, an LDAP or Active Directory domain name.'
|
||
- name: group.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier for the group on the system/platform.
|
||
- name: group.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the group.
|
||
- name: hash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Unique user hash to correlate information for a user in anonymized
|
||
form.
|
||
|
||
Useful if `user.id` or `user.name` contain confidential information and cannot
|
||
be used.'
|
||
- name: id
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier of the user.
|
||
example: S-1-5-21-202424912787-2692429404-2351956786-1000
|
||
- name: name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Short name or login of the user.
|
||
example: a.einstein
|
||
- name: roles
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Array of user roles at the time of the event.
|
||
example: '["kibana_admin", "reporting_user"]'
|
||
default_field: false
|
||
- name: target.domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the directory the user is a member of.
|
||
|
||
For example, an LDAP or Active Directory domain name.'
|
||
default_field: false
|
||
- name: target.email
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: User email address.
|
||
default_field: false
|
||
- name: target.full_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: User's full name, if available.
|
||
example: Albert Einstein
|
||
default_field: false
|
||
- name: target.group.domain
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Name of the directory the group is a member of.
|
||
|
||
For example, an LDAP or Active Directory domain name.'
|
||
default_field: false
|
||
- name: target.group.id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier for the group on the system/platform.
|
||
default_field: false
|
||
- name: target.group.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the group.
|
||
default_field: false
|
||
- name: target.hash
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Unique user hash to correlate information for a user in anonymized
|
||
form.
|
||
|
||
Useful if `user.id` or `user.name` contain confidential information and cannot
|
||
be used.'
|
||
default_field: false
|
||
- name: target.id
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique identifier of the user.
|
||
example: S-1-5-21-202424912787-2692429404-2351956786-1000
|
||
default_field: false
|
||
- name: target.name
|
||
level: core
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: Short name or login of the user.
|
||
example: a.einstein
|
||
default_field: false
|
||
- name: target.roles
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Array of user roles at the time of the event.
|
||
example: '["kibana_admin", "reporting_user"]'
|
||
default_field: false
|
||
- name: user_agent
|
||
title: User agent
|
||
group: 2
|
||
description: 'The user_agent fields normally come from a browser request.
|
||
|
||
They often show up in web service logs coming from the parsed user agent string.'
|
||
type: group
|
||
fields:
|
||
- name: device.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the device.
|
||
example: iPhone
|
||
- name: name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Name of the user agent.
|
||
example: Safari
|
||
- name: original
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: Unparsed user_agent string.
|
||
example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
|
||
(KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
|
||
- name: os.family
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: OS family (such as redhat, debian, freebsd, windows).
|
||
example: debian
|
||
- name: os.full
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Operating system name, including the version or code name.
|
||
example: Mac OS Mojave
|
||
- name: os.kernel
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Operating system kernel version as a raw string.
|
||
example: 4.4.0-112-generic
|
||
- name: os.name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
default_field: false
|
||
description: Operating system name, without the version.
|
||
example: Mac OS X
|
||
- name: os.platform
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Operating system platform (such centos, ubuntu, windows).
|
||
example: darwin
|
||
- name: os.type
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'Use the `os.type` field to categorize the operating system into
|
||
one of the broad commercial families.
|
||
|
||
One of these following values should be used (lowercase): linux, macos, unix,
|
||
windows.
|
||
|
||
If the OS you''re dealing with is not in the list, the field should not be
|
||
populated. Please let us know by opening an issue with ECS, to propose its
|
||
addition.'
|
||
example: macos
|
||
default_field: false
|
||
- name: os.version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Operating system version as a raw string.
|
||
example: 10.14.1
|
||
- name: version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of the user agent.
|
||
example: 12.0
|
||
- name: vlan
|
||
title: VLAN
|
||
group: 2
|
||
description: 'The VLAN fields are used to identify 802.1q tag(s) of a packet,
|
||
as well as ingress and egress VLAN associations of an observer in relation to
|
||
a specific packet or connection.
|
||
|
||
Network.vlan fields are used to record a single VLAN tag, or the outer tag in
|
||
the case of q-in-q encapsulations, for a packet or connection as observed, typically
|
||
provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic.
|
||
|
||
Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple
|
||
802.1q encapsulations) as observed, typically provided by a network sensor (e.g.
|
||
Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should
|
||
only be used in addition to network.vlan fields to indicate q-in-q tagging.
|
||
|
||
Observer.ingress and observer.egress VLAN values are used to record observer
|
||
specific information when observer events contain discrete ingress and egress
|
||
VLAN information, typically provided by firewalls, routers, or load balancers.'
|
||
type: group
|
||
fields:
|
||
- name: id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: VLAN ID as reported by the observer.
|
||
example: 10
|
||
default_field: false
|
||
- name: name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Optional VLAN name as reported by the observer.
|
||
example: outside
|
||
default_field: false
|
||
- name: vulnerability
|
||
title: Vulnerability
|
||
group: 2
|
||
description: The vulnerability fields describe information about a vulnerability
|
||
that is relevant to an event.
|
||
type: group
|
||
fields:
|
||
- name: category
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The type of system or architecture that the vulnerability affects.
|
||
These may be platform-specific (for example, Debian or SUSE) or general (for
|
||
example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys
|
||
vulnerability categories])
|
||
|
||
This field must be an array.'
|
||
example: '["Firewall"]'
|
||
default_field: false
|
||
- name: classification
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The classification of the vulnerability scoring system. For example
|
||
(https://www.first.org/cvss/)
|
||
example: CVSS
|
||
default_field: false
|
||
- name: description
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
multi_fields:
|
||
- name: text
|
||
type: match_only_text
|
||
description: The description of the vulnerability that provides additional context
|
||
of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common
|
||
Vulnerabilities and Exposure CVE description])
|
||
example: In macOS before 2.12.6, there is a vulnerability in the RPC...
|
||
default_field: false
|
||
- name: enumeration
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The type of identifier used for this vulnerability. For example
|
||
(https://cve.mitre.org/about/)
|
||
example: CVE
|
||
default_field: false
|
||
- name: id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The identification (ID) is the number portion of a vulnerability
|
||
entry. It includes a unique identification number for the vulnerability. For
|
||
example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities
|
||
and Exposure CVE ID]
|
||
example: CVE-2019-00001
|
||
default_field: false
|
||
- name: reference
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: A resource that provides additional information, context, and mitigations
|
||
for the identified vulnerability.
|
||
example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111
|
||
default_field: false
|
||
- name: report_id
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The report or scan identification number.
|
||
example: 20191018.0001
|
||
default_field: false
|
||
- name: scanner.vendor
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The name of the vulnerability scanner vendor.
|
||
example: Tenable
|
||
default_field: false
|
||
- name: score.base
|
||
level: extended
|
||
type: float
|
||
description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
|
||
|
||
Base scores cover an assessment for exploitability metrics (attack vector,
|
||
complexity, privileges, and user interaction), impact metrics (confidentiality,
|
||
integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)'
|
||
example: 5.5
|
||
default_field: false
|
||
- name: score.environmental
|
||
level: extended
|
||
type: float
|
||
description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
|
||
|
||
Environmental scores cover an assessment for any modified Base metrics, confidentiality,
|
||
integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document)'
|
||
example: 5.5
|
||
default_field: false
|
||
- name: score.temporal
|
||
level: extended
|
||
type: float
|
||
description: 'Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
|
||
|
||
Temporal scores cover an assessment for code maturity, remediation level,
|
||
and confidence. For example (https://www.first.org/cvss/specification-document)'
|
||
default_field: false
|
||
- name: score.version
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: 'The National Vulnerability Database (NVD) provides qualitative
|
||
severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score
|
||
ranges in addition to the severity ratings for CVSS v3.0 as they are defined
|
||
in the CVSS v3.0 specification.
|
||
|
||
CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit
|
||
organization, whose mission is to help computer security incident response
|
||
teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)'
|
||
example: 2.0
|
||
default_field: false
|
||
- name: severity
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The severity of the vulnerability can help with metrics and internal
|
||
prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
|
||
example: Critical
|
||
default_field: false
|
||
- name: x509
|
||
title: x509 Certificate
|
||
group: 2
|
||
description: 'This implements the common core fields for x509 certificates. This
|
||
information is likely logged with TLS sessions, digital signatures found in
|
||
executable binaries, S/MIME information in email bodies, or analysis of files
|
||
on disk.
|
||
|
||
When the certificate relates to a file, use the fields at `file.x509`. When
|
||
hashes of the DER-encoded certificate are available, the `hash` data set should
|
||
be populated as well (e.g. `file.hash.sha256`).
|
||
|
||
Events that contain certificate information about network connections, should
|
||
use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or
|
||
`tls.client.x509`.'
|
||
type: group
|
||
fields:
|
||
- name: alternative_names
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of subject alternative names (SAN). Name types vary by certificate
|
||
authority and certificate type but commonly contain IP addresses, DNS names
|
||
(and wildcards), and email addresses.
|
||
example: '*.elastic.co'
|
||
default_field: false
|
||
- name: issuer.common_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of common name (CN) of issuing certificate authority.
|
||
example: Example SHA2 High Assurance Server CA
|
||
default_field: false
|
||
- name: issuer.country
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of country (C) codes
|
||
example: US
|
||
default_field: false
|
||
- name: issuer.distinguished_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Distinguished name (DN) of issuing certificate authority.
|
||
example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance
|
||
Server CA
|
||
default_field: false
|
||
- name: issuer.locality
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of locality names (L)
|
||
example: Mountain View
|
||
default_field: false
|
||
- name: issuer.organization
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizations (O) of issuing certificate authority.
|
||
example: Example Inc
|
||
default_field: false
|
||
- name: issuer.organizational_unit
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizational units (OU) of issuing certificate authority.
|
||
example: www.example.com
|
||
default_field: false
|
||
- name: issuer.state_or_province
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of state or province names (ST, S, or P)
|
||
example: California
|
||
default_field: false
|
||
- name: not_after
|
||
level: extended
|
||
type: date
|
||
description: Time at which the certificate is no longer considered valid.
|
||
example: 2020-07-16 03:15:39+00:00
|
||
default_field: false
|
||
- name: not_before
|
||
level: extended
|
||
type: date
|
||
description: Time at which the certificate is first considered valid.
|
||
example: 2019-08-16 01:40:25+00:00
|
||
default_field: false
|
||
- name: public_key_algorithm
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Algorithm used to generate the public key.
|
||
example: RSA
|
||
default_field: false
|
||
- name: public_key_curve
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: The curve used by the elliptic curve public key algorithm. This
|
||
is algorithm specific.
|
||
example: nistp521
|
||
default_field: false
|
||
- name: public_key_exponent
|
||
level: extended
|
||
type: long
|
||
description: Exponent used to derive the public key. This is algorithm specific.
|
||
example: 65537
|
||
index: false
|
||
doc_values: false
|
||
default_field: false
|
||
- name: public_key_size
|
||
level: extended
|
||
type: long
|
||
description: The size of the public key space in bits.
|
||
example: 2048
|
||
default_field: false
|
||
- name: serial_number
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Unique serial number issued by the certificate authority. For consistency,
|
||
if this value is alphanumeric, it should be formatted without colons and uppercase
|
||
characters.
|
||
example: 55FBB9C7DEBF09809D12CCAA
|
||
default_field: false
|
||
- name: signature_algorithm
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Identifier for certificate signature algorithm. We recommend using
|
||
names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
|
||
example: SHA256-RSA
|
||
default_field: false
|
||
- name: subject.common_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of common names (CN) of subject.
|
||
example: shared.global.example.net
|
||
default_field: false
|
||
- name: subject.country
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of country (C) code
|
||
example: US
|
||
default_field: false
|
||
- name: subject.distinguished_name
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Distinguished name (DN) of the certificate subject entity.
|
||
example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
|
||
default_field: false
|
||
- name: subject.locality
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of locality names (L)
|
||
example: San Francisco
|
||
default_field: false
|
||
- name: subject.organization
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizations (O) of subject.
|
||
example: Example, Inc.
|
||
default_field: false
|
||
- name: subject.organizational_unit
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of organizational units (OU) of subject.
|
||
default_field: false
|
||
- name: subject.state_or_province
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: List of state or province names (ST, S, or P)
|
||
example: California
|
||
default_field: false
|
||
- name: version_number
|
||
level: extended
|
||
type: keyword
|
||
ignore_above: 1024
|
||
description: Version of x509 format.
|
||
example: 3
|
||
default_field: false
|
||
- key: beat
|
||
anchor: beat-common
|
||
title: Beat
|
||
description: >
|
||
Contains common beat fields available in all event types.
|
||
fields:
|
||
- name: agent.hostname
|
||
type: keyword
|
||
description: >
|
||
Deprecated - use agent.name or agent.id to identify an agent.
|
||
Hostname of the agent.
|
||
|
||
- name: beat.timezone
|
||
type: alias
|
||
path: event.timezone
|
||
migration: true
|
||
|
||
- name: fields
|
||
type: object
|
||
object_type: keyword
|
||
description: >
|
||
Contains user configurable fields.
|
||
|
||
- name: beat.name
|
||
type: alias
|
||
path: host.name
|
||
migration: true
|
||
|
||
- name: beat.hostname
|
||
type: alias
|
||
path: agent.hostname
|
||
migration: true
|
||
|
||
- name: timeseries.instance
|
||
type: keyword
|
||
description: Time series instance id
|
||
- key: cloud
|
||
title: Cloud provider metadata
|
||
description: >
|
||
Metadata from cloud providers added by the add_cloud_metadata processor.
|
||
fields:
|
||
|
||
- name: cloud.image.id
|
||
example: ami-abcd1234
|
||
description: >
|
||
Image ID for the cloud instance.
|
||
|
||
# Alias for old fields
|
||
- name: meta.cloud.provider
|
||
type: alias
|
||
path: cloud.provider
|
||
migration: true
|
||
|
||
- name: meta.cloud.instance_id
|
||
type: alias
|
||
path: cloud.instance.id
|
||
migration: true
|
||
|
||
- name: meta.cloud.instance_name
|
||
type: alias
|
||
path: cloud.instance.name
|
||
migration: true
|
||
|
||
- name: meta.cloud.machine_type
|
||
type: alias
|
||
path: cloud.machine.type
|
||
migration: true
|
||
|
||
- name: meta.cloud.availability_zone
|
||
type: alias
|
||
path: cloud.availability_zone
|
||
migration: true
|
||
|
||
- name: meta.cloud.project_id
|
||
type: alias
|
||
path: cloud.project.id
|
||
migration: true
|
||
|
||
- name: meta.cloud.region
|
||
type: alias
|
||
path: cloud.region
|
||
migration: true
|
||
|
||
|
||
- key: docker
|
||
title: Docker
|
||
description: >
|
||
Docker stats collected from Docker.
|
||
short_config: false
|
||
anchor: docker-processor
|
||
fields:
|
||
- name: docker
|
||
type: group
|
||
fields:
|
||
- name: container.id
|
||
type: alias
|
||
path: container.id
|
||
migration: true
|
||
|
||
- name: container.image
|
||
type: alias
|
||
path: container.image.name
|
||
migration: true
|
||
|
||
- name: container.name
|
||
type: alias
|
||
path: container.name
|
||
migration: true
|
||
|
||
- name: container.labels # TODO: How to map these?
|
||
type: object
|
||
object_type: keyword
|
||
description: >
|
||
Image labels.
|
||
- key: host
|
||
title: Host
|
||
description: >
|
||
Info collected for the host machine.
|
||
anchor: host-processor
|
||
fields:
|
||
|
||
# ECS fields are in fields.ecs.yml.
|
||
# These are the non-ECS fields.
|
||
- name: host
|
||
type: group
|
||
fields:
|
||
|
||
- name: containerized
|
||
type: boolean
|
||
description: >
|
||
If the host is a container.
|
||
|
||
- name: os.build
|
||
type: keyword
|
||
example: "18D109"
|
||
description: >
|
||
OS build information.
|
||
|
||
- name: os.codename
|
||
type: keyword
|
||
example: "stretch"
|
||
description: >
|
||
OS codename, if any.
|
||
- key: kubernetes
|
||
title: Kubernetes
|
||
description: >
|
||
Kubernetes metadata added by the kubernetes processor
|
||
short_config: false
|
||
anchor: kubernetes-processor
|
||
fields:
|
||
- name: kubernetes
|
||
type: group
|
||
fields:
|
||
- name: pod.name
|
||
type: keyword
|
||
description: >
|
||
Kubernetes pod name
|
||
|
||
- name: pod.uid
|
||
type: keyword
|
||
description: >
|
||
Kubernetes Pod UID
|
||
|
||
- name: pod.ip
|
||
type: ip
|
||
description: >
|
||
Kubernetes Pod IP
|
||
|
||
- name: namespace
|
||
type: keyword
|
||
description: >
|
||
Kubernetes namespace
|
||
|
||
- name: node.name
|
||
type: keyword
|
||
description: >
|
||
Kubernetes node name
|
||
|
||
- name: node.hostname
|
||
type: keyword
|
||
description: >
|
||
Kubernetes hostname as reported by the node’s kernel
|
||
|
||
- name: labels.*
|
||
type: object
|
||
object_type: keyword
|
||
object_type_mapping_type: "*"
|
||
description: >
|
||
Kubernetes labels map
|
||
|
||
- name: annotations.*
|
||
type: object
|
||
object_type: keyword
|
||
object_type_mapping_type: "*"
|
||
description: >
|
||
Kubernetes annotations map
|
||
|
||
- name: selectors.*
|
||
type: object
|
||
object_type: keyword
|
||
object_type_mapping_type: "*"
|
||
description: >
|
||
Kubernetes selectors map
|
||
|
||
- name: replicaset.name
|
||
type: keyword
|
||
description: >
|
||
Kubernetes replicaset name
|
||
|
||
- name: deployment.name
|
||
type: keyword
|
||
description: >
|
||
Kubernetes deployment name
|
||
|
||
- name: statefulset.name
|
||
type: keyword
|
||
description: >
|
||
Kubernetes statefulset name
|
||
|
||
- name: container.name
|
||
type: keyword
|
||
description: >
|
||
Kubernetes container name (different than the name from the runtime)
|
||
|
||
- name: container.image
|
||
type: alias
|
||
path: container.image.name
|
||
description: >
|
||
Kubernetes container image
|
||
- key: process
|
||
title: Process
|
||
description: >
|
||
Process metadata fields
|
||
fields:
|
||
- name: process
|
||
type: group
|
||
fields:
|
||
- name: exe
|
||
type: alias
|
||
path: process.executable
|
||
migration: true
|
||
- key: jolokia-autodiscover
|
||
title: Jolokia Discovery autodiscover provider
|
||
description: >
|
||
Metadata from Jolokia Discovery added by the jolokia provider.
|
||
fields:
|
||
- name: jolokia.agent.version
|
||
type: keyword
|
||
description: >
|
||
Version number of jolokia agent.
|
||
- name: jolokia.agent.id
|
||
type: keyword
|
||
description: >
|
||
Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type.
|
||
- name: jolokia.server.product
|
||
type: keyword
|
||
description: >
|
||
The container product if detected.
|
||
- name: jolokia.server.version
|
||
type: keyword
|
||
description: >
|
||
The container's version (if detected).
|
||
- name: jolokia.server.vendor
|
||
type: keyword
|
||
description: >
|
||
The vendor of the container the agent is running in.
|
||
- name: jolokia.url
|
||
type: keyword
|
||
description: >
|
||
The URL how this agent can be contacted.
|
||
- name: jolokia.secured
|
||
type: boolean
|
||
description: >
|
||
Whether the agent was configured for authentication or not.
|
||
- key: icingabeat
|
||
title: icingabeat
|
||
description: Data received from the Icinga 2 API
|
||
fields:
|
||
|
||
- name: type
|
||
type: keyword
|
||
description: >
|
||
Type of the document
|
||
|
||
- name: icinga
|
||
type: group
|
||
fields:
|
||
- name: timestamp
|
||
type: date
|
||
description: >
|
||
Timestamp of event occurrence
|
||
|
||
- name: type
|
||
type: keyword
|
||
description: >
|
||
Type of the document
|
||
|
||
- name: host
|
||
type: keyword
|
||
description: >
|
||
Host that triggered the event
|
||
|
||
- name: service
|
||
type: keyword
|
||
description: >
|
||
Service that triggered the event
|
||
|
||
- name: state
|
||
type: integer
|
||
description: >
|
||
State of the check
|
||
|
||
- name: state_type
|
||
type: integer
|
||
description: >
|
||
State type of the check
|
||
|
||
- name: author
|
||
type: keyword
|
||
description: >
|
||
Author of a message
|
||
|
||
- name: notification_type
|
||
type: keyword
|
||
description: >
|
||
Type of notification
|
||
|
||
- name: text
|
||
type: text
|
||
description: >
|
||
Text of a message
|
||
|
||
- name: users
|
||
type: keyword
|
||
description: >
|
||
Affected users of a notification
|
||
|
||
- name: acknowledgement_type
|
||
type: integer
|
||
description: >
|
||
Type of an acknowledgement
|
||
|
||
- name: expiry
|
||
type: date
|
||
description: >
|
||
Expiry of an acknowledgement
|
||
|
||
- name: notify
|
||
type: keyword
|
||
description: >
|
||
If has been sent out
|
||
|
||
- name: check_result.active
|
||
type: boolean
|
||
description: >
|
||
If check was active or passive
|
||
|
||
- name: check_result.check_source
|
||
type: keyword
|
||
description: >
|
||
Icinga instance that scheduled the check
|
||
|
||
- name: check_result.command
|
||
type: text
|
||
description: >
|
||
Command that was executed
|
||
|
||
- name: check_result.execution_end
|
||
type: date
|
||
description: >
|
||
Time when execution of check ended
|
||
|
||
- name: check_result.execution_start
|
||
type: date
|
||
description: >
|
||
Time when execution of check started
|
||
|
||
- name: check_result.exit_status
|
||
type: integer
|
||
description: >
|
||
Exit status
|
||
|
||
- name: check_result.output
|
||
type: text
|
||
description: >
|
||
Output of check
|
||
|
||
- name: check_result.performance_data
|
||
type: text
|
||
description: >
|
||
Performance data in text format
|
||
|
||
- name: check_result.schedule_end
|
||
type: date
|
||
description: >
|
||
Time when scheduling of the check ended
|
||
|
||
- name: check_result.schedule_start
|
||
type: date
|
||
description: >
|
||
Time when check was scheduled
|
||
|
||
- name: check_result.state
|
||
type: integer
|
||
description: >
|
||
State of the check
|
||
|
||
- name: check_result.ttl
|
||
type: integer
|
||
description: >
|
||
TTL, only valid if passive check
|
||
|
||
- name: check_result.type
|
||
type: keyword
|
||
description: >
|
||
Type of this event
|
||
|
||
- name: check_result.vars_after.attempt
|
||
type: integer
|
||
description: >
|
||
Check attempt after check execution
|
||
|
||
- name: check_result.vars_after.reachable
|
||
type: boolean
|
||
description: >
|
||
Reachable state after check execution
|
||
|
||
- name: check_result.vars_after.state
|
||
type: integer
|
||
description: >
|
||
State of the check after execution
|
||
|
||
- name: check_result.vars_after.state_type
|
||
type: integer
|
||
description: >
|
||
State type after execution
|
||
|
||
- name: check_result.vars_before.attempt
|
||
type: integer
|
||
description: >
|
||
Check attempt before check execution
|
||
|
||
- name: check_result.vars_before.reachable
|
||
type: boolean
|
||
description: >
|
||
Reachable state before check execution
|
||
|
||
- name: check_result.vars_before.state
|
||
type: integer
|
||
description: >
|
||
Check state before check execution
|
||
|
||
- name: check_result.vars_before.state_type
|
||
type: integer
|
||
description: >
|
||
State type before check execution
|
||
|
||
- name: comment.__name
|
||
type: text
|
||
description: >
|
||
Unique identifier of a comment
|
||
|
||
- name: comment.author
|
||
type: keyword
|
||
description: >
|
||
Author of a comment
|
||
|
||
- name: comment.entry_time
|
||
type: date
|
||
description: >
|
||
Entry time of a comment
|
||
|
||
- name: comment.entry_type
|
||
type: integer
|
||
description: >
|
||
Entry type of a comment
|
||
|
||
- name: comment.expire_time
|
||
type: date
|
||
description: >
|
||
Expire time of a comment
|
||
|
||
- name: comment.host_name
|
||
type: keyword
|
||
description: >
|
||
Host name of a comment
|
||
|
||
- name: comment.legacy_id
|
||
type: integer
|
||
description: >
|
||
Legacy ID of a comment
|
||
|
||
- name: comment.name
|
||
type: keyword
|
||
description: >
|
||
Identifier of a comment
|
||
|
||
- name: comment.package
|
||
type: keyword
|
||
description: >
|
||
Config package of a comment
|
||
|
||
- name: comment.service_name
|
||
type: keyword
|
||
description: >
|
||
Service name of a comment
|
||
|
||
- name: comment.templates
|
||
type: text
|
||
description: >
|
||
Templates used by a comment
|
||
|
||
- name: comment.text
|
||
type: text
|
||
description: >
|
||
Text of a comment
|
||
|
||
- name: comment.type
|
||
type: keyword
|
||
description: >
|
||
Comment type
|
||
|
||
- name: comment.version
|
||
type: keyword
|
||
description: >
|
||
Config version of comment object
|
||
|
||
- name: comment.zone
|
||
type: keyword
|
||
description: >
|
||
Zone where comment was generated
|
||
|
||
- name: downtime.__name
|
||
type: text
|
||
description: >
|
||
Unique identifier of a downtime
|
||
|
||
- name: downtime.author
|
||
type: keyword
|
||
description: >
|
||
Author of a downtime
|
||
|
||
- name: downtime.comment
|
||
type: text
|
||
description: >
|
||
Text of a downtime
|
||
|
||
- name: downtime.config_owner
|
||
type: text
|
||
description: >
|
||
Config owner
|
||
|
||
- name: downtime.duration
|
||
type: integer
|
||
description: >
|
||
Duration of a downtime
|
||
|
||
- name: downtime.end_time
|
||
type: date
|
||
description: >
|
||
Timestamp of downtime end
|
||
|
||
- name: downtime.entry_time
|
||
type: date
|
||
description: >
|
||
Timestamp when downtime was created
|
||
|
||
- name: downtime.fixed
|
||
type: boolean
|
||
description: >
|
||
If downtime is fixed or flexible
|
||
|
||
- name: downtime.host_name
|
||
type: keyword
|
||
description: >
|
||
Hostname of a downtime
|
||
|
||
- name: downtime.legacy_id
|
||
type: integer
|
||
description: >
|
||
The integer ID of a downtime
|
||
|
||
- name: downtime.name
|
||
type: keyword
|
||
description: >
|
||
Downtime config identifier
|
||
|
||
- name: downtime.package
|
||
type: keyword
|
||
description: >
|
||
Configuration package of downtime
|
||
|
||
- name: downtime.scheduled_by
|
||
type: text
|
||
description: >
|
||
By whom downtime was scheduled
|
||
|
||
- name: downtime.service_name
|
||
type: keyword
|
||
description: >
|
||
Service name of a downtime
|
||
|
||
- name: downtime.start_time
|
||
type: date
|
||
description: >
|
||
Timestamp when downtime starts
|
||
|
||
- name: downtime.templates
|
||
type: text
|
||
description: >
|
||
Templates used by this downtime
|
||
|
||
- name: downtime.trigger_time
|
||
type: date
|
||
description: >
|
||
Timestamp when downtime was triggered
|
||
|
||
- name: downtime.triggered_by
|
||
type: text
|
||
description: >
|
||
By whom downtime was triggered
|
||
|
||
- name: downtime.triggers
|
||
type: text
|
||
description: >
|
||
Downtime triggers
|
||
|
||
- name: downtime.type
|
||
type: keyword
|
||
description: >
|
||
Downtime type
|
||
|
||
- name: downtime.version
|
||
type: keyword
|
||
description: >
|
||
Config version of downtime
|
||
|
||
- name: downtime.was_cancelled
|
||
type: boolean
|
||
description: >
|
||
If downtime was cancelled
|
||
|
||
- name: downtime.zone
|
||
type: keyword
|
||
description: >
|
||
Zone of downtime
|
||
|
||
- name: status.active_host_checks
|
||
type: integer
|
||
description: >
|
||
Active host checks
|
||
|
||
|
||
- name: status.active_host_checks_15min
|
||
type: integer
|
||
description: >
|
||
Active host checks in the last 15 minutes
|
||
|
||
|
||
- name: status.active_host_checks_1min
|
||
type: integer
|
||
description: >
|
||
Acitve host checks in the last minute
|
||
|
||
|
||
- name: status.active_host_checks_5min
|
||
type: integer
|
||
description: >
|
||
Active host checks in the last 5 minutes
|
||
|
||
|
||
- name: status.active_service_checks
|
||
type: integer
|
||
description: >
|
||
Active service checks
|
||
|
||
- name: status.active_service_checks_15min
|
||
type: integer
|
||
description: >
|
||
Active service checks in the last 15 minutes
|
||
|
||
- name: status.active_service_checks_1min
|
||
type: integer
|
||
description: >
|
||
Active service checks in the last minute
|
||
|
||
- name: status.active_service_checks_5min
|
||
type: integer
|
||
description: >
|
||
Active service checks in the last 5 minutes
|
||
|
||
- name: status.api.identity
|
||
type: keyword
|
||
description: >
|
||
API identity
|
||
|
||
- name: status.api.num_conn_endpoints
|
||
type: integer
|
||
description: >
|
||
Number of connected endpoints
|
||
|
||
- name: status.api.num_endpoints
|
||
type: integer
|
||
description: >
|
||
Total number of endpoints
|
||
|
||
- name: status.api.num_not_conn_endpoints
|
||
type: integer
|
||
description: >
|
||
Number of not connected endpoints
|
||
|
||
- name: status.avg_execution_time
|
||
type: integer
|
||
description: >
|
||
Average execution time of checks
|
||
|
||
- name: status.avg_latency
|
||
type: integer
|
||
description: >
|
||
Average latency time
|
||
|
||
- name: status.checkercomponent.checker.idle
|
||
type: integer
|
||
description: >
|
||
Idle checks
|
||
|
||
- name: status.checkercomponent.checker.pending
|
||
type: integer
|
||
description: >
|
||
Pending checks
|
||
|
||
- name: status.filelogger.main-log
|
||
type: integer
|
||
description: >
|
||
Mainlog enabled
|
||
|
||
- name: status.icingaapplication.app.enable_event_handlers
|
||
type: boolean
|
||
description: >
|
||
Event handlers enabled
|
||
|
||
- name: status.icingaapplication.app.enable_flapping
|
||
type: boolean
|
||
description: >
|
||
Flapping detection enabled
|
||
|
||
- name: status.icingaapplication.app.enable_host_checks
|
||
type: boolean
|
||
description: >
|
||
Host checks enabled
|
||
|
||
- name: status.icingaapplication.app.enable_notifications
|
||
type: boolean
|
||
description: >
|
||
Notifications enabled
|
||
|
||
- name: status.icingaapplication.app.enable_perfdata
|
||
type: boolean
|
||
description: >
|
||
Perfdata enabled
|
||
|
||
- name: status.icingaapplication.app.enable_service_checks
|
||
type: boolean
|
||
description: >
|
||
Service checks enabled
|
||
|
||
- name: status.icingaapplication.app.node_name
|
||
type: keyword
|
||
description: >
|
||
Node name
|
||
|
||
- name: status.icingaapplication.app.pid
|
||
type: integer
|
||
description: >
|
||
PID
|
||
|
||
- name: status.icingaapplication.app.program_start
|
||
type: integer
|
||
description: >
|
||
Time when Icinga started
|
||
|
||
- name: status.icingaapplication.app.version
|
||
type: keyword
|
||
description: >
|
||
Version
|
||
|
||
- name: status.idomysqlconnection.ido-mysql.connected
|
||
type: boolean
|
||
description: >
|
||
IDO connected
|
||
|
||
- name: status.idomysqlconnection.ido-mysql.instance_name
|
||
type: keyword
|
||
description: >
|
||
IDO Instance name
|
||
|
||
- name: status.idomysqlconnection.ido-mysql.query_queue_items
|
||
type: integer
|
||
description: >
|
||
IDO query items in the queue
|
||
|
||
- name: status.idomysqlconnection.ido-mysql.version
|
||
type: keyword
|
||
description: >
|
||
IDO schema version
|
||
|
||
- name: status.max_execution_time
|
||
type: integer
|
||
description: >
|
||
Max execution time
|
||
|
||
- name: status.max_latency
|
||
type: integer
|
||
description: >
|
||
Max latency
|
||
|
||
- name: status.min_execution_time
|
||
type: integer
|
||
description: >
|
||
Min execution time
|
||
|
||
- name: status.min_latency
|
||
type: integer
|
||
description: >
|
||
Min latency
|
||
|
||
- name: status.notificationcomponent.notification
|
||
type: integer
|
||
description: >
|
||
Notification
|
||
|
||
- name: status.num_hosts_acknowledged
|
||
type: integer
|
||
description: >
|
||
Amount of acknowledged hosts
|
||
|
||
- name: status.num_hosts_down
|
||
type: integer
|
||
description: >
|
||
Amount of down hosts
|
||
|
||
- name: status.num_hosts_flapping
|
||
type: integer
|
||
description: >
|
||
Amount of flapping hosts
|
||
|
||
- name: status.num_hosts_in_downtime
|
||
type: integer
|
||
description: >
|
||
Amount of hosts in downtime
|
||
|
||
- name: status.num_hosts_pending
|
||
type: integer
|
||
description: >
|
||
Amount of pending hosts
|
||
|
||
- name: status.num_hosts_unreachable
|
||
type: integer
|
||
description: >
|
||
Amount of unreachable hosts
|
||
|
||
- name: status.num_hosts_up
|
||
type: integer
|
||
description: >
|
||
Amount of hosts in up state
|
||
|
||
- name: status.num_services_acknowledged
|
||
type: integer
|
||
description: >
|
||
Amount of acknowledged services
|
||
|
||
- name: status.num_services_critical
|
||
type: integer
|
||
description: >
|
||
Amount of critical services
|
||
|
||
- name: status.num_services_flapping
|
||
type: integer
|
||
description: >
|
||
Amount of flapping services
|
||
|
||
- name: status.num_services_in_downtime
|
||
type: integer
|
||
description: >
|
||
Amount of services in downtime
|
||
|
||
- name: status.num_services_ok
|
||
type: integer
|
||
description: >
|
||
Amount of services in ok state
|
||
|
||
- name: status.num_services_pending
|
||
type: integer
|
||
description: >
|
||
Amount of pending services
|
||
|
||
- name: status.num_services_unknown
|
||
type: integer
|
||
description: >
|
||
Amount of unknown services
|
||
|
||
- name: status.num_services_unreachable
|
||
type: integer
|
||
description: >
|
||
Amount of unreachable services
|
||
|
||
- name: status.num_services_warning
|
||
type: integer
|
||
description: >
|
||
Amount of services in warning state
|
||
|
||
- name: status.passive_host_checks
|
||
type: integer
|
||
description: >
|
||
Amount of passive host checks
|
||
|
||
- name: status.passive_host_checks_15min
|
||
type: integer
|
||
description: >
|
||
Amount of passive host checks in the last 15 minutes
|
||
|
||
- name: status.passive_host_checks_1min
|
||
type: integer
|
||
description: >
|
||
Amount of passive host checks in the last minute
|
||
|
||
- name: status.passive_host_checks_5min
|
||
type: integer
|
||
description: >
|
||
Amount of passive host checks in the last 5 minutes
|
||
|
||
- name: status.passive_service_checks
|
||
type: integer
|
||
description: >
|
||
Amount of passive service checks
|
||
|
||
- name: status.passive_service_checks_15min
|
||
type: integer
|
||
description: >
|
||
Amount of passive service checks in the last 15 minutes
|
||
|
||
- name: status.passive_service_checks_1min
|
||
type: integer
|
||
description: >
|
||
Amount of passive service checks in the last minute
|
||
|
||
- name: status.passive_service_checks_5min
|
||
type: integer
|
||
description: >
|
||
Amount of passive service checks in the last 5 minutes
|
||
|
||
- name: status.uptime
|
||
type: integer
|
||
description: >
|
||
Uptime
|