diff --git a/CHANGELOG.md b/CHANGELOG.md index edd614a6b0..03cdf80570 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,7 +19,7 @@ All notable changes to this project will be documented in this file based on the * Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtechniques. #951 * Added `configuration` as an allowed `event.category`. #963 * Added a new directory with experimental artifacts, which includes all changes - from RFCs that have reached stage 2. #993, #1053 + from RFCs that have reached stage 2. #993, #1053, #1115, #1117, #1118 #### Improvements @@ -27,6 +27,8 @@ All notable changes to this project will be documented in this file based on the * Provided better guidance for mapping network events. #969 * Added the field `.subdomain` under `client`, `destination`, `server`, `source` and `url`, to match its presence at `dns.question.subdomain`. #981 +* Clarified ambiguity in guidance on how to use x509 fields for connections with + only one certificate. #1114 ### Tooling and Artifact Changes diff --git a/code/go/ecs/x509.go b/code/go/ecs/x509.go index 99d916a641..d3509dda98 100644 --- a/code/go/ecs/x509.go +++ b/code/go/ecs/x509.go @@ -26,12 +26,13 @@ import ( // This implements the common core fields for x509 certificates. This // information is likely logged with TLS sessions, digital signatures found in // executable binaries, S/MIME information in email bodies, or analysis of -// files on disk. When only a single certificate is logged in an event, it -// should be nested under `file`. When hashes of the DER-encoded certificate -// are available, the `hash` data set should be populated as well (e.g. -// `file.hash.sha256`). For events that contain certificate information for -// both sides of the connection, the x509 object could be nested under the -// respective side of the connection information (e.g. `tls.server.x509`). +// files on disk. +// When the certificate relates to a file, use the fields at `file.x509`. When +// hashes of the DER-encoded certificate are available, the `hash` data set +// should be populated as well (e.g. `file.hash.sha256`). +// Events that contain certificate information about network connections, +// should use the x509 fields under the relevant TLS fields: `tls.server.x509` +// and/or `tls.client.x509`. type X509 struct { // Version of x509 format. VersionNumber string `ecs:"version_number"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index b980b32b93..ae14752657 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -6974,7 +6974,11 @@ example: `Critical` [[ecs-x509]] === x509 Certificate Fields -This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. + +When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). + +Events that contain certificate information about network connections, should use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. [discrete] ==== x509 Certificate Field Details diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 7db593105c..3ee89c2a22 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 2.0.0-dev. +# based on ECS version 2.0.0-dev+exp. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs @@ -967,6 +967,19 @@ (`dns.type:answer`).' type: group fields: + - name: answers + level: extended + type: object + description: 'An array containing an object for each answer section returned + by the server. + + The main keys that should be present in these objects are defined by ECS. + Records that have more information may contain more keys than what ECS defines. + + Not all DNS data sources give all details about DNS answers. At minimum, answer + objects must contain the `data` key. If more information is available, map + as much of it to ECS as possible, and add any additional fields to the answer + objects as custom fields.' - name: answers.class level: extended type: keyword @@ -1160,7 +1173,6 @@ norms: false default_field: false description: The stack trace of this error in plain text. - index: true - name: type level: extended type: wildcard @@ -5943,15 +5955,18 @@ - name: x509 title: x509 Certificate group: 2 - description: This implements the common core fields for x509 certificates. This + description: 'This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files - on disk. When only a single certificate is logged in an event, it should be - nested under `file`. When hashes of the DER-encoded certificate are available, - the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For - events that contain certificate information for both sides of the connection, - the x509 object could be nested under the respective side of the connection - information (e.g. `tls.server.x509`). + on disk. + + When the certificate relates to a file, use the fields at `file.x509`. When + hashes of the DER-encoded certificate are available, the `hash` data set should + be populated as well (e.g. `file.hash.sha256`). + + Events that contain certificate information about network connections, should + use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or + `tls.client.x509`.' type: group fields: - name: alternative_names diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 2a67a56a9c..afea0e16c6 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -1,723 +1,724 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description -2.0.0-dev,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. -2.0.0-dev,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. -2.0.0-dev,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. -2.0.0-dev,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. -2.0.0-dev,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. -2.0.0-dev,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. -2.0.0-dev,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. -2.0.0-dev,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. -2.0.0-dev,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. -2.0.0-dev,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. -2.0.0-dev,true,client,client.address,keyword,extended,,,Client network address. -2.0.0-dev,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -2.0.0-dev,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. -2.0.0-dev,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. -2.0.0-dev,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. -2.0.0-dev,true,client,client.domain,wildcard,core,,,Client domain. -2.0.0-dev,true,client,client.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev,true,client,client.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev,true,client,client.ip,ip,core,,,IP address of the client. -2.0.0-dev,true,client,client.mac,keyword,core,,,MAC address of the client. -2.0.0-dev,true,client,client.nat.ip,ip,extended,,,Client NAT ip address -2.0.0-dev,true,client,client.nat.port,long,extended,,,Client NAT port -2.0.0-dev,true,client,client.packets,long,core,,12,Packets sent from the client to the server. -2.0.0-dev,true,client,client.port,long,core,,,Port of the client. -2.0.0-dev,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." -2.0.0-dev,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. -2.0.0-dev,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,client,client.user.email,wildcard,extended,,,User email address. -2.0.0-dev,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,client,client.user.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,client,client.user.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. -2.0.0-dev,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. -2.0.0-dev,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. -2.0.0-dev,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. -2.0.0-dev,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. -2.0.0-dev,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. -2.0.0-dev,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. -2.0.0-dev,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. -2.0.0-dev,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. -2.0.0-dev,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. -2.0.0-dev,true,container,container.id,keyword,core,,,Unique container id. -2.0.0-dev,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. -2.0.0-dev,true,container,container.image.tag,keyword,extended,array,,Container image tags. -2.0.0-dev,true,container,container.labels,object,extended,,,Image labels. -2.0.0-dev,true,container,container.name,keyword,extended,,,Container name. -2.0.0-dev,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. -2.0.0-dev,true,destination,destination.address,keyword,extended,,,Destination network address. -2.0.0-dev,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -2.0.0-dev,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. -2.0.0-dev,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. -2.0.0-dev,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. -2.0.0-dev,true,destination,destination.domain,wildcard,core,,,Destination domain. -2.0.0-dev,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev,true,destination,destination.ip,ip,core,,,IP address of the destination. -2.0.0-dev,true,destination,destination.mac,keyword,core,,,MAC address of the destination. -2.0.0-dev,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip -2.0.0-dev,true,destination,destination.nat.port,long,extended,,,Destination NAT Port -2.0.0-dev,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. -2.0.0-dev,true,destination,destination.port,long,core,,,Port of the destination. -2.0.0-dev,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." -2.0.0-dev,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. -2.0.0-dev,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,destination,destination.user.email,wildcard,extended,,,User email address. -2.0.0-dev,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -2.0.0-dev,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -2.0.0-dev,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -2.0.0-dev,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -2.0.0-dev,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -2.0.0-dev,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. -2.0.0-dev,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. -2.0.0-dev,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. -2.0.0-dev,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. -2.0.0-dev,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. -2.0.0-dev,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -2.0.0-dev,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -2.0.0-dev,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -2.0.0-dev,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -2.0.0-dev,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -2.0.0-dev,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -2.0.0-dev,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. -2.0.0-dev,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. -2.0.0-dev,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. -2.0.0-dev,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. -2.0.0-dev,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. -2.0.0-dev,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. -2.0.0-dev,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. -2.0.0-dev,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. -2.0.0-dev,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. -2.0.0-dev,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. -2.0.0-dev,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." -2.0.0-dev,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. -2.0.0-dev,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. -2.0.0-dev,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data -2.0.0-dev,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. -2.0.0-dev,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." -2.0.0-dev,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. -2.0.0-dev,true,error,error.code,keyword,core,,,Error code describing the error. -2.0.0-dev,true,error,error.id,keyword,core,,,Unique identifier for the error. -2.0.0-dev,true,error,error.message,text,core,,,Error message. -2.0.0-dev,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. -2.0.0-dev,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. -2.0.0-dev,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." -2.0.0-dev,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. -2.0.0-dev,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -2.0.0-dev,true,event,event.code,keyword,extended,,4648,Identification code for this event. -2.0.0-dev,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -2.0.0-dev,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. -2.0.0-dev,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. -2.0.0-dev,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. -2.0.0-dev,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -2.0.0-dev,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -2.0.0-dev,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -2.0.0-dev,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -2.0.0-dev,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. -2.0.0-dev,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -2.0.0-dev,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -2.0.0-dev,true,event,event.provider,keyword,extended,,kernel,Source of the event. -2.0.0-dev,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -2.0.0-dev,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -2.0.0-dev,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -2.0.0-dev,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -2.0.0-dev,true,event,event.sequence,long,extended,,,Sequence number of the event. -2.0.0-dev,true,event,event.severity,long,core,,7,Numeric severity of the event. -2.0.0-dev,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. -2.0.0-dev,true,event,event.timezone,keyword,extended,,,Event time zone. -2.0.0-dev,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -2.0.0-dev,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -2.0.0-dev,true,file,file.accessed,date,extended,,,Last time the file was accessed. -2.0.0-dev,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -2.0.0-dev,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -2.0.0-dev,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -2.0.0-dev,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -2.0.0-dev,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -2.0.0-dev,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -2.0.0-dev,true,file,file.created,date,extended,,,File creation time. -2.0.0-dev,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. -2.0.0-dev,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. -2.0.0-dev,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. -2.0.0-dev,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -2.0.0-dev,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -2.0.0-dev,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -2.0.0-dev,true,file,file.group,keyword,extended,,alice,Primary group name of the file. -2.0.0-dev,true,file,file.hash.md5,keyword,extended,,,MD5 hash. -2.0.0-dev,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. -2.0.0-dev,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. -2.0.0-dev,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -2.0.0-dev,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -2.0.0-dev,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. -2.0.0-dev,true,file,file.mtime,date,extended,,,Last time the file content was modified. -2.0.0-dev,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -2.0.0-dev,true,file,file.owner,keyword,extended,,alice,File owner's username. -2.0.0-dev,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." -2.0.0-dev,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -2.0.0-dev,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -2.0.0-dev,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -2.0.0-dev,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -2.0.0-dev,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -2.0.0-dev,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -2.0.0-dev,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -2.0.0-dev,true,file,file.size,long,extended,,16384,File size in bytes. -2.0.0-dev,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. -2.0.0-dev,true,file,file.target_path.text,text,extended,,,Target path for symlinks. -2.0.0-dev,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -2.0.0-dev,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -2.0.0-dev,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -2.0.0-dev,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -2.0.0-dev,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -2.0.0-dev,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -2.0.0-dev,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -2.0.0-dev,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -2.0.0-dev,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -2.0.0-dev,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -2.0.0-dev,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -2.0.0-dev,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -2.0.0-dev,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -2.0.0-dev,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -2.0.0-dev,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -2.0.0-dev,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -2.0.0-dev,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -2.0.0-dev,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -2.0.0-dev,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code -2.0.0-dev,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -2.0.0-dev,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -2.0.0-dev,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -2.0.0-dev,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -2.0.0-dev,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. -2.0.0-dev,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,group,group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. -2.0.0-dev,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. -2.0.0-dev,true,host,host.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev,true,host,host.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev,true,host,host.hostname,wildcard,core,,,Hostname of the host. -2.0.0-dev,true,host,host.id,keyword,core,,,Unique host id. -2.0.0-dev,true,host,host.ip,ip,core,array,,Host ip addresses. -2.0.0-dev,true,host,host.mac,keyword,core,array,,Host mac addresses. -2.0.0-dev,true,host,host.name,keyword,core,,,Name of the host. -2.0.0-dev,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -2.0.0-dev,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -2.0.0-dev,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -2.0.0-dev,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -2.0.0-dev,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -2.0.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -2.0.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -2.0.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." -2.0.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -2.0.0-dev,true,host,host.type,keyword,core,,,Type of host. -2.0.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. -2.0.0-dev,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,host,host.user.email,wildcard,extended,,,User email address. -2.0.0-dev,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,host,host.user.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,host,host.user.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. -2.0.0-dev,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. -2.0.0-dev,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. -2.0.0-dev,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). -2.0.0-dev,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. -2.0.0-dev,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. -2.0.0-dev,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. -2.0.0-dev,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. -2.0.0-dev,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. -2.0.0-dev,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. -2.0.0-dev,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). -2.0.0-dev,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. -2.0.0-dev,true,http,http.response.status_code,long,extended,,404,HTTP response status code. -2.0.0-dev,true,http,http.version,keyword,extended,,1.1,HTTP version. -2.0.0-dev,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. -2.0.0-dev,true,log,log.level,keyword,core,,error,Log level of the log event. -2.0.0-dev,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. -2.0.0-dev,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. -2.0.0-dev,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. -2.0.0-dev,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. -2.0.0-dev,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." -2.0.0-dev,true,log,log.syslog,object,extended,,,Syslog metadata -2.0.0-dev,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. -2.0.0-dev,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. -2.0.0-dev,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. -2.0.0-dev,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. -2.0.0-dev,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. -2.0.0-dev,true,network,network.application,keyword,extended,,aim,Application level protocol name. -2.0.0-dev,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. -2.0.0-dev,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. -2.0.0-dev,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. -2.0.0-dev,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. -2.0.0-dev,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. -2.0.0-dev,true,network,network.inner,object,extended,,,Inner VLAN tag information -2.0.0-dev,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -2.0.0-dev,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -2.0.0-dev,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. -2.0.0-dev,true,network,network.packets,long,core,,24,Total packets transferred in both directions. -2.0.0-dev,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. -2.0.0-dev,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. -2.0.0-dev,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" -2.0.0-dev,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -2.0.0-dev,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -2.0.0-dev,true,observer,observer.egress,object,extended,,,Object field for egress information -2.0.0-dev,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias -2.0.0-dev,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID -2.0.0-dev,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name -2.0.0-dev,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -2.0.0-dev,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -2.0.0-dev,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone -2.0.0-dev,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. -2.0.0-dev,true,observer,observer.ingress,object,extended,,,Object field for ingress information -2.0.0-dev,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias -2.0.0-dev,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID -2.0.0-dev,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name -2.0.0-dev,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. -2.0.0-dev,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. -2.0.0-dev,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone -2.0.0-dev,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. -2.0.0-dev,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer -2.0.0-dev,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. -2.0.0-dev,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -2.0.0-dev,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -2.0.0-dev,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -2.0.0-dev,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -2.0.0-dev,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -2.0.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -2.0.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -2.0.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." -2.0.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -2.0.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. -2.0.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. -2.0.0-dev,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. -2.0.0-dev,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. -2.0.0-dev,true,observer,observer.version,keyword,core,,,Observer version. -2.0.0-dev,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. -2.0.0-dev,true,organization,organization.name,wildcard,extended,,,Organization name. -2.0.0-dev,true,organization,organization.name.text,text,extended,,,Organization name. -2.0.0-dev,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. -2.0.0-dev,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information -2.0.0-dev,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. -2.0.0-dev,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. -2.0.0-dev,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." -2.0.0-dev,true,package,package.installed,date,extended,,,Time when package was installed. -2.0.0-dev,true,package,package.license,keyword,extended,,Apache License 2.0,Package license -2.0.0-dev,true,package,package.name,keyword,extended,,go,Package name -2.0.0-dev,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. -2.0.0-dev,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL -2.0.0-dev,true,package,package.size,long,extended,,62231,Package size in bytes. -2.0.0-dev,true,package,package.type,keyword,extended,,rpm,Package type -2.0.0-dev,true,package,package.version,keyword,extended,,1.12.9,Package version -2.0.0-dev,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -2.0.0-dev,true,process,process.args_count,long,extended,,4,Length of the process.args array. -2.0.0-dev,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -2.0.0-dev,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -2.0.0-dev,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -2.0.0-dev,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -2.0.0-dev,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -2.0.0-dev,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -2.0.0-dev,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -2.0.0-dev,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -2.0.0-dev,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. -2.0.0-dev,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -2.0.0-dev,true,process,process.exit_code,long,extended,,137,The exit code of the process. -2.0.0-dev,true,process,process.hash.md5,keyword,extended,,,MD5 hash. -2.0.0-dev,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. -2.0.0-dev,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. -2.0.0-dev,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev,true,process,process.name,wildcard,extended,,ssh,Process name. -2.0.0-dev,true,process,process.name.text,text,extended,,ssh,Process name. -2.0.0-dev,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. -2.0.0-dev,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. -2.0.0-dev,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -2.0.0-dev,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -2.0.0-dev,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -2.0.0-dev,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -2.0.0-dev,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -2.0.0-dev,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -2.0.0-dev,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. -2.0.0-dev,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. -2.0.0-dev,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. -2.0.0-dev,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. -2.0.0-dev,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. -2.0.0-dev,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. -2.0.0-dev,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. -2.0.0-dev,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. -2.0.0-dev,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev,true,process,process.parent.name,wildcard,extended,,ssh,Process name. -2.0.0-dev,true,process,process.parent.name.text,text,extended,,ssh,Process name. -2.0.0-dev,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -2.0.0-dev,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -2.0.0-dev,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -2.0.0-dev,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -2.0.0-dev,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -2.0.0-dev,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -2.0.0-dev,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -2.0.0-dev,true,process,process.parent.pid,long,core,,4242,Process id. -2.0.0-dev,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. -2.0.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -2.0.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. -2.0.0-dev,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name. -2.0.0-dev,true,process,process.parent.title,wildcard,extended,,,Process title. -2.0.0-dev,true,process,process.parent.title.text,text,extended,,,Process title. -2.0.0-dev,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. -2.0.0-dev,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. -2.0.0-dev,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. -2.0.0-dev,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -2.0.0-dev,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -2.0.0-dev,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -2.0.0-dev,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -2.0.0-dev,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -2.0.0-dev,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -2.0.0-dev,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. -2.0.0-dev,true,process,process.pid,long,core,,4242,Process id. -2.0.0-dev,true,process,process.ppid,long,extended,,4241,Parent process' pid. -2.0.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. -2.0.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. -2.0.0-dev,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name. -2.0.0-dev,true,process,process.title,wildcard,extended,,,Process title. -2.0.0-dev,true,process,process.title.text,text,extended,,,Process title. -2.0.0-dev,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. -2.0.0-dev,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. -2.0.0-dev,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. -2.0.0-dev,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -2.0.0-dev,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -2.0.0-dev,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -2.0.0-dev,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -2.0.0-dev,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -2.0.0-dev,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -2.0.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. -2.0.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. -2.0.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. -2.0.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. -2.0.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event. -2.0.0-dev,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author -2.0.0-dev,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category -2.0.0-dev,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description -2.0.0-dev,true,rule,rule.id,keyword,extended,,101,Rule ID -2.0.0-dev,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license -2.0.0-dev,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name -2.0.0-dev,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL -2.0.0-dev,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset -2.0.0-dev,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID -2.0.0-dev,true,rule,rule.version,keyword,extended,,1.1,Rule version -2.0.0-dev,true,server,server.address,keyword,extended,,,Server network address. -2.0.0-dev,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -2.0.0-dev,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. -2.0.0-dev,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. -2.0.0-dev,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. -2.0.0-dev,true,server,server.domain,wildcard,core,,,Server domain. -2.0.0-dev,true,server,server.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev,true,server,server.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev,true,server,server.ip,ip,core,,,IP address of the server. -2.0.0-dev,true,server,server.mac,keyword,core,,,MAC address of the server. -2.0.0-dev,true,server,server.nat.ip,ip,extended,,,Server NAT ip -2.0.0-dev,true,server,server.nat.port,long,extended,,,Server NAT port -2.0.0-dev,true,server,server.packets,long,core,,12,Packets sent from the server to the client. -2.0.0-dev,true,server,server.port,long,core,,,Port of the server. -2.0.0-dev,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." -2.0.0-dev,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. -2.0.0-dev,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,server,server.user.email,wildcard,extended,,,User email address. -2.0.0-dev,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,server,server.user.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,server,server.user.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. -2.0.0-dev,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. -2.0.0-dev,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. -2.0.0-dev,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. -2.0.0-dev,true,service,service.state,keyword,core,,,Current state of the service. -2.0.0-dev,true,service,service.type,keyword,core,,elasticsearch,The type of the service. -2.0.0-dev,true,service,service.version,keyword,core,,3.2.4,Version of the service. -2.0.0-dev,true,source,source.address,keyword,extended,,,Source network address. -2.0.0-dev,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -2.0.0-dev,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. -2.0.0-dev,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. -2.0.0-dev,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. -2.0.0-dev,true,source,source.domain,wildcard,core,,,Source domain. -2.0.0-dev,true,source,source.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev,true,source,source.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev,true,source,source.ip,ip,core,,,IP address of the source. -2.0.0-dev,true,source,source.mac,keyword,core,,,MAC address of the source. -2.0.0-dev,true,source,source.nat.ip,ip,extended,,,Source NAT ip -2.0.0-dev,true,source,source.nat.port,long,extended,,,Source NAT port -2.0.0-dev,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. -2.0.0-dev,true,source,source.port,long,core,,,Port of the source. -2.0.0-dev,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." -2.0.0-dev,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. -2.0.0-dev,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,source,source.user.email,wildcard,extended,,,User email address. -2.0.0-dev,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,source,source.user.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,source,source.user.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. -2.0.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. -2.0.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. -2.0.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. -2.0.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. -2.0.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. -2.0.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. -2.0.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. -2.0.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. -2.0.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. -2.0.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. -2.0.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. -2.0.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. -2.0.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. -2.0.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. -2.0.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. -2.0.0-dev,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. -2.0.0-dev,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. -2.0.0-dev,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. -2.0.0-dev,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -2.0.0-dev,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. -2.0.0-dev,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. -2.0.0-dev,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. -2.0.0-dev,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. -2.0.0-dev,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. -2.0.0-dev,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. -2.0.0-dev,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -2.0.0-dev,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -2.0.0-dev,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -2.0.0-dev,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -2.0.0-dev,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -2.0.0-dev,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -2.0.0-dev,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -2.0.0-dev,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -2.0.0-dev,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -2.0.0-dev,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -2.0.0-dev,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -2.0.0-dev,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -2.0.0-dev,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -2.0.0-dev,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -2.0.0-dev,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -2.0.0-dev,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -2.0.0-dev,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code -2.0.0-dev,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -2.0.0-dev,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -2.0.0-dev,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -2.0.0-dev,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -2.0.0-dev,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. -2.0.0-dev,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." -2.0.0-dev,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -2.0.0-dev,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. -2.0.0-dev,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -2.0.0-dev,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. -2.0.0-dev,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. -2.0.0-dev,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. -2.0.0-dev,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. -2.0.0-dev,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. -2.0.0-dev,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. -2.0.0-dev,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. -2.0.0-dev,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. -2.0.0-dev,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. -2.0.0-dev,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. -2.0.0-dev,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -2.0.0-dev,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -2.0.0-dev,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -2.0.0-dev,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -2.0.0-dev,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -2.0.0-dev,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -2.0.0-dev,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -2.0.0-dev,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -2.0.0-dev,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -2.0.0-dev,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -2.0.0-dev,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -2.0.0-dev,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -2.0.0-dev,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -2.0.0-dev,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -2.0.0-dev,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -2.0.0-dev,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -2.0.0-dev,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code -2.0.0-dev,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -2.0.0-dev,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -2.0.0-dev,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -2.0.0-dev,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -2.0.0-dev,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. -2.0.0-dev,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. -2.0.0-dev,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. -2.0.0-dev,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. -2.0.0-dev,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. -2.0.0-dev,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. -2.0.0-dev,true,url,url.extension,keyword,extended,,png,File extension from the original request url. -2.0.0-dev,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. -2.0.0-dev,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -2.0.0-dev,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -2.0.0-dev,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -2.0.0-dev,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -2.0.0-dev,true,url,url.password,keyword,extended,,,Password of the request. -2.0.0-dev,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -2.0.0-dev,true,url,url.port,long,extended,,443,"Port of the request, such as 443." -2.0.0-dev,true,url,url.query,keyword,extended,,,Query string of the request. -2.0.0-dev,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -2.0.0-dev,true,url,url.scheme,keyword,extended,,https,Scheme of the url. -2.0.0-dev,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. -2.0.0-dev,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev,true,url,url.username,keyword,extended,,,Username of the request. -2.0.0-dev,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,user,user.changes.email,wildcard,extended,,,User email address. -2.0.0-dev,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,user,user.changes.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,user,user.effective.email,wildcard,extended,,,User email address. -2.0.0-dev,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,user,user.effective.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,user,user.email,wildcard,extended,,,User email address. -2.0.0-dev,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,user,user.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,user,user.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,user,user.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. -2.0.0-dev,true,user,user.target.email,wildcard,extended,,,User email address. -2.0.0-dev,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." -2.0.0-dev,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. -2.0.0-dev,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. -2.0.0-dev,true,user,user.target.group.name,keyword,extended,,,Name of the group. -2.0.0-dev,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. -2.0.0-dev,true,user,user.target.id,keyword,core,,,Unique identifier of the user. -2.0.0-dev,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. -2.0.0-dev,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. -2.0.0-dev,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. -2.0.0-dev,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. -2.0.0-dev,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -2.0.0-dev,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. -2.0.0-dev,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." -2.0.0-dev,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -2.0.0-dev,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." -2.0.0-dev,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. -2.0.0-dev,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." -2.0.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." -2.0.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." -2.0.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." -2.0.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. -2.0.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. -2.0.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. -2.0.0-dev,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. -2.0.0-dev,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. -2.0.0-dev,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. -2.0.0-dev,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. -2.0.0-dev,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. -2.0.0-dev,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. -2.0.0-dev,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. +2.0.0-dev+exp,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. +2.0.0-dev+exp,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. +2.0.0-dev+exp,true,base,message,text,core,,Hello World,Log message optimized for viewing in a log viewer. +2.0.0-dev+exp,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. +2.0.0-dev+exp,true,agent,agent.build.original,wildcard,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +2.0.0-dev+exp,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. +2.0.0-dev+exp,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +2.0.0-dev+exp,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +2.0.0-dev+exp,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. +2.0.0-dev+exp,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +2.0.0-dev+exp,true,client,client.address,keyword,extended,,,Client network address. +2.0.0-dev+exp,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +2.0.0-dev+exp,true,client,client.as.organization.name,wildcard,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,client,client.as.organization.name.text,text,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. +2.0.0-dev+exp,true,client,client.domain,wildcard,core,,,Client domain. +2.0.0-dev+exp,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,client,client.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,client,client.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,client,client.ip,ip,core,,,IP address of the client. +2.0.0-dev+exp,true,client,client.mac,keyword,core,,,MAC address of the client. +2.0.0-dev+exp,true,client,client.nat.ip,ip,extended,,,Client NAT ip address +2.0.0-dev+exp,true,client,client.nat.port,long,extended,,,Client NAT port +2.0.0-dev+exp,true,client,client.packets,long,core,,12,Packets sent from the client to the server. +2.0.0-dev+exp,true,client,client.port,long,core,,,Port of the client. +2.0.0-dev+exp,true,client,client.registered_domain,wildcard,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +2.0.0-dev+exp,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev+exp,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,client,client.user.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,client,client.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,client,client.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,client,client.user.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,client,client.user.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,client,client.user.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,client,client.user.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. +2.0.0-dev+exp,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. +2.0.0-dev+exp,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,Availability zone in which this host is running. +2.0.0-dev+exp,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +2.0.0-dev+exp,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. +2.0.0-dev+exp,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +2.0.0-dev+exp,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. +2.0.0-dev+exp,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. +2.0.0-dev+exp,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. +2.0.0-dev+exp,true,cloud,cloud.region,keyword,extended,,us-east-1,Region in which this host is running. +2.0.0-dev+exp,true,container,container.id,keyword,core,,,Unique container id. +2.0.0-dev+exp,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. +2.0.0-dev+exp,true,container,container.image.tag,keyword,extended,array,,Container image tags. +2.0.0-dev+exp,true,container,container.labels,object,extended,,,Image labels. +2.0.0-dev+exp,true,container,container.name,keyword,extended,,,Container name. +2.0.0-dev+exp,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. +2.0.0-dev+exp,true,destination,destination.address,keyword,extended,,,Destination network address. +2.0.0-dev+exp,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +2.0.0-dev+exp,true,destination,destination.as.organization.name,wildcard,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,destination,destination.as.organization.name.text,text,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. +2.0.0-dev+exp,true,destination,destination.domain,wildcard,core,,,Destination domain. +2.0.0-dev+exp,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,destination,destination.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,destination,destination.ip,ip,core,,,IP address of the destination. +2.0.0-dev+exp,true,destination,destination.mac,keyword,core,,,MAC address of the destination. +2.0.0-dev+exp,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip +2.0.0-dev+exp,true,destination,destination.nat.port,long,extended,,,Destination NAT Port +2.0.0-dev+exp,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. +2.0.0-dev+exp,true,destination,destination.port,long,core,,,Port of the destination. +2.0.0-dev+exp,true,destination,destination.registered_domain,wildcard,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +2.0.0-dev+exp,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev+exp,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,destination,destination.user.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,destination,destination.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,destination,destination.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,destination,destination.user.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,destination,destination.user.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,destination,destination.user.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +2.0.0-dev+exp,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +2.0.0-dev+exp,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +2.0.0-dev+exp,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. +2.0.0-dev+exp,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev+exp,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev+exp,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev+exp,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +2.0.0-dev+exp,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. +2.0.0-dev+exp,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,dll,dll.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,dns,dns.answers,object,extended,array,,Array of DNS answers. +2.0.0-dev+exp,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. +2.0.0-dev+exp,true,dns,dns.answers.data,wildcard,extended,,10.10.10.10,The data describing the resource. +2.0.0-dev+exp,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. +2.0.0-dev+exp,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. +2.0.0-dev+exp,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. +2.0.0-dev+exp,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. +2.0.0-dev+exp,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. +2.0.0-dev+exp,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. +2.0.0-dev+exp,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. +2.0.0-dev+exp,true,dns,dns.question.name,wildcard,extended,,www.example.com,The name being queried. +2.0.0-dev+exp,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." +2.0.0-dev+exp,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. +2.0.0-dev+exp,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. +2.0.0-dev+exp,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data +2.0.0-dev+exp,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. +2.0.0-dev+exp,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." +2.0.0-dev+exp,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. +2.0.0-dev+exp,true,error,error.code,keyword,core,,,Error code describing the error. +2.0.0-dev+exp,true,error,error.id,keyword,core,,,Unique identifier for the error. +2.0.0-dev+exp,true,error,error.message,text,core,,,Error message. +2.0.0-dev+exp,true,error,error.stack_trace,wildcard,extended,,,The stack trace of this error in plain text. +2.0.0-dev+exp,true,error,error.stack_trace.text,text,extended,,,The stack trace of this error in plain text. +2.0.0-dev+exp,true,error,error.type,wildcard,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +2.0.0-dev+exp,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. +2.0.0-dev+exp,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +2.0.0-dev+exp,true,event,event.code,keyword,extended,,4648,Identification code for this event. +2.0.0-dev+exp,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +2.0.0-dev+exp,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. +2.0.0-dev+exp,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. +2.0.0-dev+exp,true,event,event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. +2.0.0-dev+exp,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +2.0.0-dev+exp,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +2.0.0-dev+exp,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +2.0.0-dev+exp,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +2.0.0-dev+exp,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. +2.0.0-dev+exp,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +2.0.0-dev+exp,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +2.0.0-dev+exp,true,event,event.provider,keyword,extended,,kernel,Source of the event. +2.0.0-dev+exp,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +2.0.0-dev+exp,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +2.0.0-dev+exp,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +2.0.0-dev+exp,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +2.0.0-dev+exp,true,event,event.sequence,long,extended,,,Sequence number of the event. +2.0.0-dev+exp,true,event,event.severity,long,core,,7,Numeric severity of the event. +2.0.0-dev+exp,true,event,event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. +2.0.0-dev+exp,true,event,event.timezone,keyword,extended,,,Event time zone. +2.0.0-dev+exp,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +2.0.0-dev+exp,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +2.0.0-dev+exp,true,file,file.accessed,date,extended,,,Last time the file was accessed. +2.0.0-dev+exp,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +2.0.0-dev+exp,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +2.0.0-dev+exp,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +2.0.0-dev+exp,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +2.0.0-dev+exp,true,file,file.created,date,extended,,,File creation time. +2.0.0-dev+exp,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. +2.0.0-dev+exp,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. +2.0.0-dev+exp,true,file,file.directory,wildcard,extended,,/home/alice,Directory where the file is located. +2.0.0-dev+exp,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +2.0.0-dev+exp,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +2.0.0-dev+exp,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +2.0.0-dev+exp,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +2.0.0-dev+exp,true,file,file.hash.md5,keyword,extended,,,MD5 hash. +2.0.0-dev+exp,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev+exp,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev+exp,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev+exp,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +2.0.0-dev+exp,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +2.0.0-dev+exp,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. +2.0.0-dev+exp,true,file,file.mtime,date,extended,,,Last time the file content was modified. +2.0.0-dev+exp,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +2.0.0-dev+exp,true,file,file.owner,keyword,extended,,alice,File owner's username. +2.0.0-dev+exp,true,file,file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev+exp,true,file,file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev+exp,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,file,file.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,file,file.size,long,extended,,16384,File size in bytes. +2.0.0-dev+exp,true,file,file.target_path,wildcard,extended,,,Target path for symlinks. +2.0.0-dev+exp,true,file,file.target_path.text,text,extended,,,Target path for symlinks. +2.0.0-dev+exp,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +2.0.0-dev+exp,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +2.0.0-dev+exp,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +2.0.0-dev+exp,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +2.0.0-dev+exp,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +2.0.0-dev+exp,true,file,file.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +2.0.0-dev+exp,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +2.0.0-dev+exp,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +2.0.0-dev+exp,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +2.0.0-dev+exp,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,file,file.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +2.0.0-dev+exp,true,file,file.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +2.0.0-dev+exp,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +2.0.0-dev+exp,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +2.0.0-dev+exp,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +2.0.0-dev+exp,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +2.0.0-dev+exp,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +2.0.0-dev+exp,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +2.0.0-dev+exp,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +2.0.0-dev+exp,true,file,file.x509.subject.country,keyword,extended,array,US,List of country (C) code +2.0.0-dev+exp,true,file,file.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +2.0.0-dev+exp,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +2.0.0-dev+exp,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +2.0.0-dev+exp,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +2.0.0-dev+exp,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. +2.0.0-dev+exp,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,group,group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +2.0.0-dev+exp,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +2.0.0-dev+exp,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,host,host.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,host,host.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,host,host.hostname,wildcard,core,,,Hostname of the host. +2.0.0-dev+exp,true,host,host.id,keyword,core,,,Unique host id. +2.0.0-dev+exp,true,host,host.ip,ip,core,array,,Host ip addresses. +2.0.0-dev+exp,true,host,host.mac,keyword,core,array,,Host mac addresses. +2.0.0-dev+exp,true,host,host.name,keyword,core,,,Name of the host. +2.0.0-dev+exp,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +2.0.0-dev+exp,true,host,host.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +2.0.0-dev+exp,true,host,host.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +2.0.0-dev+exp,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +2.0.0-dev+exp,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +2.0.0-dev+exp,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +2.0.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." +2.0.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +2.0.0-dev+exp,true,host,host.type,keyword,core,,,Type of host. +2.0.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. +2.0.0-dev+exp,true,host,host.user.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,host,host.user.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,host,host.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,host,host.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,host,host.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,host,host.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,host,host.user.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,host,host.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,host,host.user.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,host,host.user.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,host,host.user.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,host,host.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. +2.0.0-dev+exp,true,http,http.request.body.content,wildcard,extended,,Hello world,The full HTTP request body. +2.0.0-dev+exp,true,http,http.request.body.content.text,text,extended,,Hello world,The full HTTP request body. +2.0.0-dev+exp,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +2.0.0-dev+exp,true,http,http.request.method,keyword,extended,,"GET, POST, PUT, PoST",HTTP request method. +2.0.0-dev+exp,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. +2.0.0-dev+exp,true,http,http.request.referrer,wildcard,extended,,https://blog.example.com/,Referrer for this HTTP request. +2.0.0-dev+exp,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. +2.0.0-dev+exp,true,http,http.response.body.content,wildcard,extended,,Hello world,The full HTTP response body. +2.0.0-dev+exp,true,http,http.response.body.content.text,text,extended,,Hello world,The full HTTP response body. +2.0.0-dev+exp,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +2.0.0-dev+exp,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. +2.0.0-dev+exp,true,http,http.response.status_code,long,extended,,404,HTTP response status code. +2.0.0-dev+exp,true,http,http.version,keyword,extended,,1.1,HTTP version. +2.0.0-dev+exp,true,log,log.file.path,wildcard,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +2.0.0-dev+exp,true,log,log.level,keyword,core,,error,Log level of the log event. +2.0.0-dev+exp,true,log,log.logger,wildcard,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +2.0.0-dev+exp,true,log,log.origin.file.line,integer,extended,,42,The line number of the file which originated the log event. +2.0.0-dev+exp,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. +2.0.0-dev+exp,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. +2.0.0-dev+exp,false,log,log.original,keyword,core,,Sep 19 08:26:10 localhost My log,"Original log message with light interpretation only (encoding, newlines)." +2.0.0-dev+exp,true,log,log.syslog,object,extended,,,Syslog metadata +2.0.0-dev+exp,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. +2.0.0-dev+exp,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +2.0.0-dev+exp,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +2.0.0-dev+exp,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. +2.0.0-dev+exp,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +2.0.0-dev+exp,true,network,network.application,keyword,extended,,aim,Application level protocol name. +2.0.0-dev+exp,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. +2.0.0-dev+exp,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. +2.0.0-dev+exp,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. +2.0.0-dev+exp,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. +2.0.0-dev+exp,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. +2.0.0-dev+exp,true,network,network.inner,object,extended,,,Inner VLAN tag information +2.0.0-dev+exp,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +2.0.0-dev+exp,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +2.0.0-dev+exp,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. +2.0.0-dev+exp,true,network,network.packets,long,core,,24,Total packets transferred in both directions. +2.0.0-dev+exp,true,network,network.protocol,keyword,core,,http,L7 Network protocol name. +2.0.0-dev+exp,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. +2.0.0-dev+exp,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +2.0.0-dev+exp,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +2.0.0-dev+exp,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +2.0.0-dev+exp,true,observer,observer.egress,object,extended,,,Object field for egress information +2.0.0-dev+exp,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias +2.0.0-dev+exp,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID +2.0.0-dev+exp,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name +2.0.0-dev+exp,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +2.0.0-dev+exp,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +2.0.0-dev+exp,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone +2.0.0-dev+exp,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,observer,observer.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. +2.0.0-dev+exp,true,observer,observer.ingress,object,extended,,,Object field for ingress information +2.0.0-dev+exp,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias +2.0.0-dev+exp,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID +2.0.0-dev+exp,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name +2.0.0-dev+exp,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +2.0.0-dev+exp,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +2.0.0-dev+exp,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone +2.0.0-dev+exp,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. +2.0.0-dev+exp,true,observer,observer.mac,keyword,core,array,,MAC addresses of the observer +2.0.0-dev+exp,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +2.0.0-dev+exp,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +2.0.0-dev+exp,true,observer,observer.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +2.0.0-dev+exp,true,observer,observer.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +2.0.0-dev+exp,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +2.0.0-dev+exp,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +2.0.0-dev+exp,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +2.0.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." +2.0.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +2.0.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. +2.0.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. +2.0.0-dev+exp,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. +2.0.0-dev+exp,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. +2.0.0-dev+exp,true,observer,observer.version,keyword,core,,,Observer version. +2.0.0-dev+exp,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. +2.0.0-dev+exp,true,organization,organization.name,wildcard,extended,,,Organization name. +2.0.0-dev+exp,true,organization,organization.name.text,text,extended,,,Organization name. +2.0.0-dev+exp,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. +2.0.0-dev+exp,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information +2.0.0-dev+exp,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. +2.0.0-dev+exp,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. +2.0.0-dev+exp,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." +2.0.0-dev+exp,true,package,package.installed,date,extended,,,Time when package was installed. +2.0.0-dev+exp,true,package,package.license,keyword,extended,,Apache License 2.0,Package license +2.0.0-dev+exp,true,package,package.name,keyword,extended,,go,Package name +2.0.0-dev+exp,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. +2.0.0-dev+exp,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL +2.0.0-dev+exp,true,package,package.size,long,extended,,62231,Package size in bytes. +2.0.0-dev+exp,true,package,package.type,keyword,extended,,rpm,Package type +2.0.0-dev+exp,true,package,package.version,keyword,extended,,1.12.9,Package version +2.0.0-dev+exp,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +2.0.0-dev+exp,true,process,process.args_count,long,extended,,4,Length of the process.args array. +2.0.0-dev+exp,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +2.0.0-dev+exp,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +2.0.0-dev+exp,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +2.0.0-dev+exp,true,process,process.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +2.0.0-dev+exp,true,process,process.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +2.0.0-dev+exp,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +2.0.0-dev+exp,true,process,process.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +2.0.0-dev+exp,true,process,process.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +2.0.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process. +2.0.0-dev+exp,true,process,process.hash.md5,keyword,extended,,,MD5 hash. +2.0.0-dev+exp,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev+exp,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev+exp,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev+exp,true,process,process.name,wildcard,extended,,ssh,Process name. +2.0.0-dev+exp,true,process,process.name.text,text,extended,,ssh,Process name. +2.0.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +2.0.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +2.0.0-dev+exp,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +2.0.0-dev+exp,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +2.0.0-dev+exp,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +2.0.0-dev+exp,true,process,process.parent.command_line,wildcard,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +2.0.0-dev+exp,true,process,process.parent.command_line.text,text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +2.0.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +2.0.0-dev+exp,true,process,process.parent.executable,wildcard,extended,,/usr/bin/ssh,Absolute path to the process executable. +2.0.0-dev+exp,true,process,process.parent.executable.text,text,extended,,/usr/bin/ssh,Absolute path to the process executable. +2.0.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. +2.0.0-dev+exp,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. +2.0.0-dev+exp,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev+exp,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev+exp,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev+exp,true,process,process.parent.name,wildcard,extended,,ssh,Process name. +2.0.0-dev+exp,true,process,process.parent.name.text,text,extended,,ssh,Process name. +2.0.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,process,process.parent.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.parent.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +2.0.0-dev+exp,true,process,process.parent.pid,long,core,,4242,Process id. +2.0.0-dev+exp,true,process,process.parent.ppid,long,extended,,4241,Parent process' pid. +2.0.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +2.0.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. +2.0.0-dev+exp,true,process,process.parent.thread.name,wildcard,extended,,thread-0,Thread name. +2.0.0-dev+exp,true,process,process.parent.title,wildcard,extended,,,Process title. +2.0.0-dev+exp,true,process,process.parent.title.text,text,extended,,,Process title. +2.0.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. +2.0.0-dev+exp,true,process,process.parent.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +2.0.0-dev+exp,true,process,process.parent.working_directory.text,text,extended,,/home/alice,The working directory of the process. +2.0.0-dev+exp,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,process,process.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,process,process.pgid,long,extended,,,Identifier of the group of processes the process belongs to. +2.0.0-dev+exp,true,process,process.pid,long,core,,4242,Process id. +2.0.0-dev+exp,true,process,process.ppid,long,extended,,4241,Parent process' pid. +2.0.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +2.0.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID. +2.0.0-dev+exp,true,process,process.thread.name,wildcard,extended,,thread-0,Thread name. +2.0.0-dev+exp,true,process,process.title,wildcard,extended,,,Process title. +2.0.0-dev+exp,true,process,process.title.text,text,extended,,,Process title. +2.0.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. +2.0.0-dev+exp,true,process,process.working_directory,wildcard,extended,,/home/alice,The working directory of the process. +2.0.0-dev+exp,true,process,process.working_directory.text,text,extended,,/home/alice,The working directory of the process. +2.0.0-dev+exp,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +2.0.0-dev+exp,true,registry,registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +2.0.0-dev+exp,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +2.0.0-dev+exp,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +2.0.0-dev+exp,true,registry,registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +2.0.0-dev+exp,true,registry,registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +2.0.0-dev+exp,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +2.0.0-dev+exp,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. +2.0.0-dev+exp,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. +2.0.0-dev+exp,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. +2.0.0-dev+exp,true,related,related.user,keyword,extended,array,,All the user names seen on your event. +2.0.0-dev+exp,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author +2.0.0-dev+exp,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category +2.0.0-dev+exp,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description +2.0.0-dev+exp,true,rule,rule.id,keyword,extended,,101,Rule ID +2.0.0-dev+exp,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license +2.0.0-dev+exp,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name +2.0.0-dev+exp,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL +2.0.0-dev+exp,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset +2.0.0-dev+exp,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID +2.0.0-dev+exp,true,rule,rule.version,keyword,extended,,1.1,Rule version +2.0.0-dev+exp,true,server,server.address,keyword,extended,,,Server network address. +2.0.0-dev+exp,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +2.0.0-dev+exp,true,server,server.as.organization.name,wildcard,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,server,server.as.organization.name.text,text,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. +2.0.0-dev+exp,true,server,server.domain,wildcard,core,,,Server domain. +2.0.0-dev+exp,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,server,server.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,server,server.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,server,server.ip,ip,core,,,IP address of the server. +2.0.0-dev+exp,true,server,server.mac,keyword,core,,,MAC address of the server. +2.0.0-dev+exp,true,server,server.nat.ip,ip,extended,,,Server NAT ip +2.0.0-dev+exp,true,server,server.nat.port,long,extended,,,Server NAT port +2.0.0-dev+exp,true,server,server.packets,long,core,,12,Packets sent from the server to the client. +2.0.0-dev+exp,true,server,server.port,long,core,,,Port of the server. +2.0.0-dev+exp,true,server,server.registered_domain,wildcard,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +2.0.0-dev+exp,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev+exp,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,server,server.user.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,server,server.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,server,server.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,server,server.user.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,server,server.user.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,server,server.user.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,server,server.user.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +2.0.0-dev+exp,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +2.0.0-dev+exp,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. +2.0.0-dev+exp,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. +2.0.0-dev+exp,true,service,service.state,keyword,core,,,Current state of the service. +2.0.0-dev+exp,true,service,service.type,keyword,core,,elasticsearch,The type of the service. +2.0.0-dev+exp,true,service,service.version,keyword,core,,3.2.4,Version of the service. +2.0.0-dev+exp,true,source,source.address,keyword,extended,,,Source network address. +2.0.0-dev+exp,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +2.0.0-dev+exp,true,source,source.as.organization.name,wildcard,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,source,source.as.organization.name.text,text,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. +2.0.0-dev+exp,true,source,source.domain,wildcard,core,,,Source domain. +2.0.0-dev+exp,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,source,source.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,source,source.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,source,source.ip,ip,core,,,IP address of the source. +2.0.0-dev+exp,true,source,source.mac,keyword,core,,,MAC address of the source. +2.0.0-dev+exp,true,source,source.nat.ip,ip,extended,,,Source NAT ip +2.0.0-dev+exp,true,source,source.nat.port,long,extended,,,Source NAT port +2.0.0-dev+exp,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. +2.0.0-dev+exp,true,source,source.port,long,core,,,Port of the source. +2.0.0-dev+exp,true,source,source.registered_domain,wildcard,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +2.0.0-dev+exp,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev+exp,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,source,source.user.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,source,source.user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,source,source.user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,source,source.user.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,source,source.user.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,source,source.user.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. +2.0.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +2.0.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. +2.0.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. +2.0.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. +2.0.0-dev+exp,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. +2.0.0-dev+exp,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. +2.0.0-dev+exp,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. +2.0.0-dev+exp,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. +2.0.0-dev+exp,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. +2.0.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. +2.0.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. +2.0.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. +2.0.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. +2.0.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. +2.0.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. +2.0.0-dev+exp,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. +2.0.0-dev+exp,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. +2.0.0-dev+exp,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. +2.0.0-dev+exp,true,tls,tls.client.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +2.0.0-dev+exp,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. +2.0.0-dev+exp,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. +2.0.0-dev+exp,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. +2.0.0-dev+exp,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. +2.0.0-dev+exp,true,tls,tls.client.subject,wildcard,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +2.0.0-dev+exp,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. +2.0.0-dev+exp,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +2.0.0-dev+exp,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +2.0.0-dev+exp,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +2.0.0-dev+exp,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +2.0.0-dev+exp,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +2.0.0-dev+exp,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +2.0.0-dev+exp,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +2.0.0-dev+exp,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +2.0.0-dev+exp,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +2.0.0-dev+exp,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country (C) code +2.0.0-dev+exp,true,tls,tls.client.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +2.0.0-dev+exp,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +2.0.0-dev+exp,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +2.0.0-dev+exp,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +2.0.0-dev+exp,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. +2.0.0-dev+exp,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." +2.0.0-dev+exp,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +2.0.0-dev+exp,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. +2.0.0-dev+exp,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +2.0.0-dev+exp,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. +2.0.0-dev+exp,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. +2.0.0-dev+exp,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. +2.0.0-dev+exp,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. +2.0.0-dev+exp,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. +2.0.0-dev+exp,true,tls,tls.server.issuer,wildcard,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +2.0.0-dev+exp,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. +2.0.0-dev+exp,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. +2.0.0-dev+exp,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. +2.0.0-dev+exp,true,tls,tls.server.subject,wildcard,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +2.0.0-dev+exp,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +2.0.0-dev+exp,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +2.0.0-dev+exp,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +2.0.0-dev+exp,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +2.0.0-dev+exp,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +2.0.0-dev+exp,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +2.0.0-dev+exp,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +2.0.0-dev+exp,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +2.0.0-dev+exp,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +2.0.0-dev+exp,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +2.0.0-dev+exp,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country (C) code +2.0.0-dev+exp,true,tls,tls.server.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +2.0.0-dev+exp,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +2.0.0-dev+exp,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +2.0.0-dev+exp,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +2.0.0-dev+exp,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. +2.0.0-dev+exp,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. +2.0.0-dev+exp,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. +2.0.0-dev+exp,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. +2.0.0-dev+exp,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. +2.0.0-dev+exp,true,url,url.domain,wildcard,extended,,www.elastic.co,Domain of the url. +2.0.0-dev+exp,true,url,url.extension,keyword,extended,,png,File extension from the original request url. +2.0.0-dev+exp,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. +2.0.0-dev+exp,true,url,url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +2.0.0-dev+exp,true,url,url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +2.0.0-dev+exp,true,url,url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +2.0.0-dev+exp,true,url,url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +2.0.0-dev+exp,true,url,url.password,keyword,extended,,,Password of the request. +2.0.0-dev+exp,true,url,url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +2.0.0-dev+exp,true,url,url.port,long,extended,,443,"Port of the request, such as 443." +2.0.0-dev+exp,true,url,url.query,keyword,extended,,,Query string of the request. +2.0.0-dev+exp,true,url,url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +2.0.0-dev+exp,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +2.0.0-dev+exp,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev+exp,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,url,url.username,keyword,extended,,,Username of the request. +2.0.0-dev+exp,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,user,user.changes.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,user,user.changes.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.changes.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,user,user.changes.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,user,user.changes.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,user,user.changes.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.changes.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,user,user.effective.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,user,user.effective.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.effective.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,user,user.effective.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,user,user.effective.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,user,user.effective.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.effective.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,user,user.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,user,user.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,user,user.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,user,user.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,user,user.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. +2.0.0-dev+exp,true,user,user.target.email,wildcard,extended,,,User email address. +2.0.0-dev+exp,true,user,user.target.full_name,wildcard,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.target.full_name.text,text,extended,,Albert Einstein,"User's full name, if available." +2.0.0-dev+exp,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. +2.0.0-dev+exp,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +2.0.0-dev+exp,true,user,user.target.group.name,keyword,extended,,,Name of the group. +2.0.0-dev+exp,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +2.0.0-dev+exp,true,user,user.target.id,keyword,core,,,Unique identifier of the user. +2.0.0-dev+exp,true,user,user.target.name,wildcard,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.target.name.text,text,core,,albert,Short name or login of the user. +2.0.0-dev+exp,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +2.0.0-dev+exp,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. +2.0.0-dev+exp,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. +2.0.0-dev+exp,true,user_agent,user_agent.original,wildcard,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +2.0.0-dev+exp,true,user_agent,user_agent.original.text,text,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +2.0.0-dev+exp,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +2.0.0-dev+exp,true,user_agent,user_agent.os.full,wildcard,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +2.0.0-dev+exp,true,user_agent,user_agent.os.full.text,text,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +2.0.0-dev+exp,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +2.0.0-dev+exp,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." +2.0.0-dev+exp,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." +2.0.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." +2.0.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +2.0.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. +2.0.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.description.text,text,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. +2.0.0-dev+exp,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. +2.0.0-dev+exp,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. +2.0.0-dev+exp,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. +2.0.0-dev+exp,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. +2.0.0-dev+exp,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. +2.0.0-dev+exp,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. +2.0.0-dev+exp,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 59e2fc4733..5aefba80d3 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -1318,6 +1318,25 @@ dll.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword +dns.answers: + dashed_name: dns-answers + description: 'An array containing an object for each answer section returned by + the server. + + The main keys that should be present in these objects are defined by ECS. Records + that have more information may contain more keys than what ECS defines. + + Not all DNS data sources give all details about DNS answers. At minimum, answer + objects must contain the `data` key. If more information is available, map as + much of it to ECS as possible, and add any additional fields to the answer objects + as custom fields.' + flat_name: dns.answers + level: extended + name: answers + normalize: + - array + short: Array of DNS answers. + type: object dns.answers.class: dashed_name: dns-answers-class description: The class of DNS data contained in this resource record. @@ -1599,7 +1618,6 @@ error.stack_trace: dashed_name: error-stack-trace description: The stack trace of this error in plain text. flat_name: error.stack_trace - index: true level: extended multi_fields: - flat_name: error.stack_trace.text diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 27b394ba24..977a5c2232 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -1667,6 +1667,25 @@ dns: (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`).' fields: + dns.answers: + dashed_name: dns-answers + description: 'An array containing an object for each answer section returned + by the server. + + The main keys that should be present in these objects are defined by ECS. + Records that have more information may contain more keys than what ECS defines. + + Not all DNS data sources give all details about DNS answers. At minimum, answer + objects must contain the `data` key. If more information is available, map + as much of it to ECS as possible, and add any additional fields to the answer + objects as custom fields.' + flat_name: dns.answers + level: extended + name: answers + normalize: + - array + short: Array of DNS answers. + type: object dns.answers.class: dashed_name: dns-answers-class description: The class of DNS data contained in this resource record. @@ -1971,7 +1990,6 @@ error: dashed_name: error-stack-trace description: The stack trace of this error in plain text. flat_name: error.stack_trace - index: true level: extended multi_fields: - flat_name: error.stack_trace.text @@ -10454,14 +10472,16 @@ vulnerability: title: Vulnerability type: group x509: - description: This implements the common core fields for x509 certificates. This + description: 'This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable - binaries, S/MIME information in email bodies, or analysis of files on disk. When - only a single certificate is logged in an event, it should be nested under `file`. - When hashes of the DER-encoded certificate are available, the `hash` data set - should be populated as well (e.g. `file.hash.sha256`). For events that contain - certificate information for both sides of the connection, the x509 object could - be nested under the respective side of the connection information (e.g. `tls.server.x509`). + binaries, S/MIME information in email bodies, or analysis of files on disk. + + When the certificate relates to a file, use the fields at `file.x509`. When hashes + of the DER-encoded certificate are available, the `hash` data set should be populated + as well (e.g. `file.hash.sha256`). + + Events that contain certificate information about network connections, should + use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.' fields: x509.alternative_names: dashed_name: x509-alternative-names diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 5247e36816..0bfd44d084 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -4,7 +4,7 @@ ], "mappings": { "_meta": { - "version": "2.0.0-dev" + "version": "2.0.0-dev+exp" }, "date_detection": false, "dynamic_templates": [ @@ -568,7 +568,8 @@ "ignore_above": 1024, "type": "keyword" } - } + }, + "type": "object" }, "header_flags": { "ignore_above": 1024, diff --git a/experimental/schemas/dns.yml b/experimental/schemas/dns.yml index 54f9ccd69a..466859c09f 100644 --- a/experimental/schemas/dns.yml +++ b/experimental/schemas/dns.yml @@ -3,5 +3,7 @@ fields: - name: question.name type: wildcard + - name: answers + type: object - name: answers.data type: wildcard diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 06e7c5ce68..0361f97cdf 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5825,15 +5825,18 @@ - name: x509 title: x509 Certificate group: 2 - description: This implements the common core fields for x509 certificates. This + description: 'This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files - on disk. When only a single certificate is logged in an event, it should be - nested under `file`. When hashes of the DER-encoded certificate are available, - the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For - events that contain certificate information for both sides of the connection, - the x509 object could be nested under the respective side of the connection - information (e.g. `tls.server.x509`). + on disk. + + When the certificate relates to a file, use the fields at `file.x509`. When + hashes of the DER-encoded certificate are available, the `hash` data set should + be populated as well (e.g. `file.hash.sha256`). + + Events that contain certificate information about network connections, should + use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or + `tls.client.x509`.' type: group fields: - name: alternative_names diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index ac3f079ba3..1352e844e5 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -10163,14 +10163,16 @@ vulnerability: title: Vulnerability type: group x509: - description: This implements the common core fields for x509 certificates. This + description: 'This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable - binaries, S/MIME information in email bodies, or analysis of files on disk. When - only a single certificate is logged in an event, it should be nested under `file`. - When hashes of the DER-encoded certificate are available, the `hash` data set - should be populated as well (e.g. `file.hash.sha256`). For events that contain - certificate information for both sides of the connection, the x509 object could - be nested under the respective side of the connection information (e.g. `tls.server.x509`). + binaries, S/MIME information in email bodies, or analysis of files on disk. + + When the certificate relates to a file, use the fields at `file.x509`. When hashes + of the DER-encoded certificate are available, the `hash` data set should be populated + as well (e.g. `file.hash.sha256`). + + Events that contain certificate information about network connections, should + use the x509 fields under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`.' fields: x509.alternative_names: dashed_name: x509-alternative-names diff --git a/rfcs/text/0007-multiple-users.md b/rfcs/text/0007-multiple-users.md index 9403eecb0a..31e015e8b9 100644 --- a/rfcs/text/0007-multiple-users.md +++ b/rfcs/text/0007-multiple-users.md @@ -1,8 +1,8 @@ # 0007: Multiple users in an event -- Stage: **2 (proposal)** -- Date: **2020-10-02** +- Stage: **3 (candidate)** +- Date: **2020-11-11** Many log events refer to more than one user at the same time. Examples of this are remote logons as someone else, user management and privilege escalation. @@ -67,7 +67,7 @@ This can be seen in more detail on PR [ecs#869](https://github.com/elastic/ecs/p The examples below will only populate `user.name` and sometimes `user.id` inside the various `user` nestings, for readability. -However in implementations, otherwise noted all `user` fields that can reasonably +However in implementations, unless otherwise noted, all `user` fields that can reasonably be populated in each location should be populated. ### User fields at the Root of an Event @@ -636,14 +636,6 @@ and the assumed role in the `userIdentity`. This makes it easy to keep track of the real user at `user.*` and the escalated privileges at `user.effective.*` in all subsequent activity after privilege escalation. - - - - ## Scope of impact ### New fields for IAM @@ -671,12 +663,12 @@ These came up while working on this RFC; this is not guidance that was given in the past. Data sources that populate these fields will need to be revisited and adjusted accordingly. - +Please let us know before the next major ECS release if you disagree with this, and share how you're using them. ## Concerns @@ -686,11 +678,11 @@ In past discussions and recent research, we have not identified a clear purpose for the user fields nested at `host.user.*`. We are considering deprecating these fields with the intent to remove them completely. -Please let us know if you disagree with this, and share how you're using them. #### Resolution -No resolution yet. +They will be marked as deprecated starting with ECS 1.8, and will be removed in +the next ECS major release. ### Documenting the purpose of each usage of the user fields @@ -727,7 +719,7 @@ Stage 4: Identify at least one real-world, production-ready implementation that The following are the people that consulted on the contents of this RFC. * @webmat | author -* TBD | sponsor +* @jonathan-buttner | sponsor * @leehinman | subject matter expert * @janniten | subject matter expert * @willemdh | subject matter expert @@ -765,6 +757,7 @@ e.g.: * Stage 2: https://github.com/elastic/ecs/pull/914 * Stage 2 correction: https://github.com/elastic/ecs/pull/996 +* Stage 3: https://github.com/elastic/ecs/pull/1017 Note: This RFC was initially proposed via a PR that targeted stage 2, given the amount of discussion that has already has happened on this subject. diff --git a/rfcs/text/0009-data_stream-fields.md b/rfcs/text/0009-data_stream-fields.md new file mode 100644 index 0000000000..dff6a963bc --- /dev/null +++ b/rfcs/text/0009-data_stream-fields.md @@ -0,0 +1,189 @@ +# 0009: Data stream fields + + +- Stage: **1 (proposal)** +- Date: **2020-11-11** + +When introducing the new indexing strategy for Elastic Agent which uses data streams, we found that adding a few [constant_keyword](https://www.elastic.co/guide/en/elasticsearch/reference/master/keyword.html#constant-keyword-field-type) fields corresponding to the central components in the new indexing strategy would be advantageous. + + + + + + +## Fields + + + +This RFC proposes to introduce a new fieldset called "data_stream". The fieldset consists of the following fields: +Field | Mapping type | Description +----------|--------------|-------------- +data_stream.type | constant_keyword | An overarching type for the data stream. Currently allowed values include "logs", "metrics". We expect to also add "traces" and "synthetics" in the near future +data_stream.dataset | constant_keyword | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. +data_stream.namespace | constant_keyword | A user defined namespace. Namespaces are useful to allow grouping of data. Many of our customers already organize their indices this way, and now we are providing this best practice as a default. Many people will use `default` as the value. + +In the new indexing strategy, the value of the data stream fields combine to the name of the actual data stream in the following manner `{data_stream.type}-{data_stream.dataset}-{data_stream.namespace}`. This means the fields can only contain characters that are valid as part of names of data streams. + +### Restrictions on values + +Due to the fact that the values of the `data_stream` fields make up the data stream name, the restrictions on data stream names also apply to values for the `data_stream` fields. As an example, they cannot include \, /, *, ?, ", <, >, |, ` `. Please see the Elasticsearch reference for [restrictions on index/data stream names](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html#indices-create-api-path-params). Here follows the _additional_ restrictions imposed on the data stream fields: + +**data_stream.type** + +`data_stream.type` is restricted to `logs` or `metrics` for now. + +Any future values for `data_stream.type` should also adhere to the following restrictions (these are derived from the Elasticsearch index restrictions): +* Must not contain `-` +* Must not start with `+` or `_` + +**data_stream.dataset** + +* Must not contain `-` +* No longer than 100 chars + +**data_stream.namespace** + +* No longer than 100 chars + + +### On the use of Constant Keyword fields + +The new indexing strategy results in users having many more indices than they used to. Elasticsearch is very good at searching for specific documents across indices, but for some common queries we can make it even better by using `constant_keyword` fields. For example, it's often the case that you'd want to find only documents that contain logs from a certain service or logs from a given namespace. For a query such as `data_stream.type: logs AND data_stream.namespace: billing-app` Elasticsearch can quickly determine that only a small subset of the indices are relevant to search through. + + + + +## Usage + + + +Data stream fields are already in use in Elastic Agent. Leveraging the data stream fields described here allow users to filter by a specific data type (logs, metrics etc.), dataset (nginx.access, prometheus) or namespace. The following are examples of common queries pertaining to specific datatypes, datasets or namespaces: + +* `data_stream.type: logs` +* `data_stream.dataset: nginx.access` +* `data_stream.type: logs AND data_stream.namespace: web-frontend` + +As previously described, fields mapped as `constant_keyword` allows Elasticsearch to drastically optimize queries involving those fields. See the [Elasticsearch documentation](https://www.elastic.co/guide/en/elasticsearch/reference/current/faster-filtering-with-constant-keyword.html) on `constant_keyword` for more information. + + +## Source data + + + +Today, Elastic Agent adds the data_stream fields in all documents ingested. It's also possible to use the fields in data from other data sources. Elasticsearch 7.9+ ships with built-in index template mappings which will ensure that documents indexed into data streams that match `logs-*-*` and `metrics-*-*` will get the fields mapped correctly to `constant_keyword` types. + +### Using data_stream fields with regular indices +`data_stream` fields only make sense when indexing into data streams. They should not to be used for regular indices. + + + + + + +## Scope of impact + +* We've described that `generic` is a valid value for `data_stream.dataset` in some cases. Since `event.dataset` should always have the same value, this will also apply to `event.dataset`. We should update the documentation on `event.dataset` to reflect this. +* Since `data_stream.dataset` and `event.dataset` should contain the same value, the restrictions imposed on `data_stream.dataset` might affect the `event.dataset` value. This means users may need to translate their custom dataset values (e.g. `event.dataset: firewall/config`) to an equivalent legal dataset, according to the character restrictions imposed by the use of the value in `data_stream.dataset`, for example `data_stream.dataset: firewall.config`. + + + + + +## Concerns + + +### Relation to event.* fields +Concerns have been raised about how these fields relate to the event fields. Specifically, `event.type`, `event.kind`, `event.category` etc. Specifically, `data_stream.type` seems closer to `event.kind` than `event.type`. There are other inconsistencies here and we didn't find a way to square this concern at the time. It was decided to move forward with the `data_stream` fields for now and consider them to be unrelated to the event fields. `event.dataset` and `data_stream.dataset`, however, should contain the same value. + + + + + + + +## Real-world implementations + + + +Elastic Agent already uses the data_stream fields. + +Additionally, as previously described, beginning in version 7.9, Elasticsearch ships with built-in index templates for data streams which will automatically ensure that data_stream fields get correctly mapped when the data stream name match `logs-*-*` and `metrics-*-*`. + + +## People + +The following are the people that consulted on the contents of this RFC. + +* @roncohen | author, sponsor +* @ruflin | subject matter expert + + + + + +## References + + + +* Elasticsearch documentation on the [constant_keyword mapping type](https://www.elastic.co/guide/en/elasticsearch/reference/master/keyword.html#constant-keyword-field-type) +* https://www.elastic.co/guide/en/elasticsearch/reference/current/faster-filtering-with-constant-keyword.html +* Previous discussion on [dataset fields](https://github.com/elastic/ecs/pull/845) +* Discussion on [field value restrictions](https://github.com/elastic/kibana/issues/75846) +* Restrictions on [index names](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html) + + +### RFC Pull Requests + + + +* Stage 1: https://github.com/elastic/ecs/pull/980 + + diff --git a/schemas/README.md b/schemas/README.md index 88440c0354..39b18f4bd7 100644 --- a/schemas/README.md +++ b/schemas/README.md @@ -129,7 +129,8 @@ Supported keys to describe fields Example values that are composite types (array, object) should be quoted to avoid YAML interpretation in ECS-generated artifacts and other downstream projects depending on the schema. - multi\_fields (optional): Specify additional ways to index the field. -- index (optional): If `False`, means field is not indexed (overrides type) +- index (optional): If `False`, means field is not indexed (overrides type). This parameter has no effect + on a `wildcard` field. - format: Field format that can be used in a Kibana index template. - normalize: Normalization steps that should be applied at ingestion time. Supported values: - array: the content of the field should be an array (even when there's only one value). @@ -151,7 +152,7 @@ Supported keys to describe expected values for a field Optionally, entries in this list can specify 'expected\_event\_types'. - expected\_event\_types: list of expected "event.type" values to use in association with that category. - + Supported keys when using the [alias field type](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html) ```YAML diff --git a/schemas/x509.yml b/schemas/x509.yml index 06209dcbeb..124551c96c 100644 --- a/schemas/x509.yml +++ b/schemas/x509.yml @@ -6,10 +6,12 @@ description: > This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. - When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded - certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that - contain certificate information for both sides of the connection, the x509 object could be nested under the respective - side of the connection information (e.g. `tls.server.x509`). + + When the certificate relates to a file, use the fields at `file.x509`. When hashes of the DER-encoded + certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). + + Events that contain certificate information about network connections, should use the x509 fields + under the relevant TLS fields: `tls.server.x509` and/or `tls.client.x509`. type: group reusable: top_level: false diff --git a/scripts/generator.py b/scripts/generator.py index 92b877499c..7e009d5fad 100644 --- a/scripts/generator.py +++ b/scripts/generator.py @@ -40,6 +40,10 @@ def main(): # statements like this after any step of interest. # ecs_helpers.yaml_dump('ecs.yml', fields) + # Detect usage of experimental changes to tweak artifact version label + if loader.EXPERIMENTAL_SCHEMA_DIR in args.include: + ecs_version += "+exp" + fields = loader.load_schemas(ref=args.ref, included_files=args.include) if args.oss: oss.fallback(fields) diff --git a/scripts/schema/cleaner.py b/scripts/schema/cleaner.py index ab3acfcaeb..185d0abedc 100644 --- a/scripts/schema/cleaner.py +++ b/scripts/schema/cleaner.py @@ -144,6 +144,9 @@ def field_or_multi_field_datatype_defaults(field_details): field_details.setdefault('ignore_above', 1024) if field_details['type'] == 'text': field_details.setdefault('norms', False) + # wildcard needs the index param stripped + if field_details['type'] == 'wildcard': + field_details.pop('index', None) if 'index' in field_details and not field_details['index']: field_details.setdefault('doc_values', False) diff --git a/scripts/schema/loader.py b/scripts/schema/loader.py index e953834d97..07477551af 100644 --- a/scripts/schema/loader.py +++ b/scripts/schema/loader.py @@ -42,6 +42,9 @@ # Examples of this are 'dns.answers', 'observer.egress'. +EXPERIMENTAL_SCHEMA_DIR = 'experimental/schemas' + + def load_schemas(ref=None, included_files=[]): """Loads ECS and custom schemas. They are returned deeply nested and merged.""" # ECS fields (from git ref or not) @@ -51,8 +54,6 @@ def load_schemas(ref=None, included_files=[]): schema_files_raw = load_schema_files(ecs_helpers.ecs_files()) fields = deep_nesting_representation(schema_files_raw) - EXPERIMENTAL_SCHEMA_DIR = 'experimental/schemas' - # Custom additional files if included_files and len(included_files) > 0: print('Loading user defined schemas: {0}'.format(included_files)) diff --git a/scripts/tests/unit/test_schema_cleaner.py b/scripts/tests/unit/test_schema_cleaner.py index 13f78c4e91..bc3dbdc621 100644 --- a/scripts/tests/unit/test_schema_cleaner.py +++ b/scripts/tests/unit/test_schema_cleaner.py @@ -223,6 +223,10 @@ def test_field_defaults(self): cleaner.field_defaults({'field_details': field_details}) self.assertEqual(field_details['doc_values'], False) + field_details = {**field_min_details, **{'type': 'wildcard', 'index': True}} + cleaner.field_defaults({'field_details': field_details}) + self.assertNotIn('index', field_details) + def test_field_defaults_dont_override(self): field_details = { 'description': 'description',